Manual Chapter : Detecting Dynamic DoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.1.9, 15.1.8
Manual Chapter

Detecting Dynamic DoS Attacks

Overview: Detecting Dynamic DoS Attacks

A
dynamic DoS attack
is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic signature enforcement, such attacks can be detected and mitigated automatically by AFM. Dynamic signature enforcement creates signatures for attacks based on changing traffic patterns over time. When an attack is detected, a signature is created and added to a list of dynamic signatures. All packets are then checked against the dynamic signature, and mitigated according to internal logic, and settings you can specify. When packet processing on the system falls back to normal levels, the signature no longer appears as an attack, and is removed from the dynamic signature list.

Enforcement modes

The following modes are available for dynamic signature enforcement.
Disabled
In this mode, no dynamic signature enforcement occurs.
Learn-Only
In this mode, the system establishes a baseline for packet processing on AFM. Learn-Only mode detects traffic patterns, establishes a baseline, and detects anomalies, but does not generate logs or dynamic signatures. Attacks are not mitigated in Learn-Only mode.
Enabled
In this mode, the system monitors traffic, compares traffic changes over time, and detects anomalies. Attacks are logged, dynamic signatures are generated, packets are compared to the dynamic signature, and attacks are mitigated. When an attack ceases, the dynamic signature is removed from the list.

Mitigation Sensitivity

Mitigation sensitivity establishes how aggressively the system mitigates dynamic DoS attacks. You can set this to
None
,
Low
,
Medium
, or
High
. By default, mitigation sensitivity is set to
None
.
Low
sensitivity is the least aggressive, at the risk of allowing more attack packets through.
High
drops packets more aggressively, even when attack confidence is lower.

Redirection/Scrubbing

You can configure redirection and scrubbing to handle mitigation of dynamic DoS signatures with an IP Intelligence category. The following parameters can be configured for redirection and scrubbing.
Scrubbing Category
You can select an IP Intelligence category for IP addresses blocked by dynamic DoS signatures. By default, the IP intelligence category for scrubbed IP addresses is
attacked_ips
.
Scrubbing Advertisement Time
This is the duration for which a mitigated IP is advertised to the IP Intelligence mechanism for scrubbing. The default is
300
seconds.

Start Relearning

The
Start Relearning
option clears historical data, thresholds and signatures for the dynamic DoS detection system. The Dynamic DoS signature baseline is re-established. Relearning occurs for a period of 20 minutes. You can relearn dynamic signatures at the device level or at the protected object level (on the virtual server Security tab).

Detect global dynamic DoS attacks

You can enable dynamic signatures at the system level to dynamically detect and mitigate DoS attacks. Dynamic signatures can apply to Network or DNS device protection.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, select the Edit icon (pencil) on the right side of the Network or DNS areas.
    The Network or DNS properties pane opens on the right.
  3. In the Properties pane, for
    Dynamic Signature Enforcement
    , from the list, select
    Enabled
    .
    At first, you may want to select
    Learn Only
    to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select
    Enabled
    .
  4. From the
    Mitigation Sensitivity
    list, select the sensitivity level for dropping packets.
    • Select
      None
      to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from
      Low
      to
      High
      . A setting of
      Low
      is least aggressive, but will also trigger fewer false positives. A setting of
      High
      is most aggressive, and the system may drop more false positive packets.
  5. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the
    Redirection/Scrubbing
    list, select
    Enabled
    .
  6. If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from the
    Scrubbing Category
    list, select the IP Intelligence category to assign to the scrubbed packets.
  7. In the
    Scrubbing Advertisement Time
    field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  8. Click
    Commit Changes to System
    at the top of the page to save the changes.
    The configuration is updated, and the Device Protection screen opens again.
You have enabled dynamic signatures at the system level. The system monitors traffic, detects anomalies, and generates dynamic signatures are generated, packets are compared to the dynamic signature, and attacks are mitigated. When an attack ceases, the dynamic signature is removed from the list.

Detect dynamic DoS network attacks with a protection profile

You enable dynamic DoS signatures on a protection profile to detect dynamic DoS attacks at a more granular level than the system level. In this case, the protected objects associated with the protection profile use dynamic signature enforcement. Dynamic signatures can apply to Network or DNS device protection.
  1. On the Main tab, click
    Security
    DoS Protection
    Protection Profiles
    .
    The Protection Profiles list screen opens.
  2. Click the name of an existing protection profile (or create a new one).
    The Protection Profile Properties screen for that profile opens.
  3. At the bottom of the screen, select the Edit icon (pencil) on the right side of the Network or DNS areas.
    The Network or DNS properties pane opens on the right.
  4. In the Properties pane, for
    Dynamic Signature Enforcement
    , from the list, select
    Enabled
    .
    At first, you may want to select
    Learn Only
    to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select
    Enabled
    .
  5. From the
    Mitigation Sensitivity
    list, select the sensitivity level for dropping packets.
    • Select
      None
      to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from
      Low
      to
      High
      . A setting of
      Low
      is least aggressive, but will also trigger fewer false positives. A setting of
      High
      is most aggressive, and the system may drop more false positive packets.
  6. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the
    Redirection/Scrubbing
    list, select
    Enabled
    .
  7. In the
    Scrubbing Advertisement Time
    field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  8. Click
    Commit Changes to System
    at the top of the page to save the changes.
    The Protection Profile is updated.
You have configured the protection profile to detect dynamic DoS vectors and mitigate such attacks.
Next, you associate the protection profile with one or more protected objects to enable dynamic signature enforcement on those protected objects.

Apply a protection profile to a protected object

You must add the DoS protection profile to the protected object to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click
    Security
    DoS Protection
    Protected Objects
    .
  2. Click the name of the protected object (virtual server) to which you want to assign a protection profile.
    The Properties pane opens on the right.
  3. In the Protection Settings area, from the
    Protection Profile
    list, select the name of the protection profile to assign.
    Ensure a Service Profile is selected to enable the protected object to process application traffic.
  4. Click
    Save
    .
The DoS protection profile is associated with the protected object and DoS protection is now enabled.

View and persist dynamic signatures

The BIG-IP AFM system must have completed the traffic learning period, two hours by default, and detected one or more traffic pattern anomalies in order to create a dynamic signature.
Dynamic signatures can not be modified and do not remain in the configuration by default. You can view dynamic signature details and if the signature is considered useful, you can make it permanent., or persistent in the configuration. Persistent signatures can be also be modified.
  1. On the Main tab, click
    Security
    DoS Protection
    Signatures
    .
  2. Click
    Dynamic
    to expand the list of Dynamic Signatures
  3. Review the relevant signature statistics such as
    Creation Info
    and
    Threshold EPS
    .
  4. Click the name of the signature to view the signature
    Predicate List
    .
  5. To make the dynamic signature a permanent or a Persistent signature, check the box next to the signature and click
    Make Persistent
    .
  6. To modify the signature, click
    Persistent
    .
  7. Click the name of the signature.
  8. The
    Properties
    page will appear to the right, allowing you to modify the signature.