Manual Chapter :
Preventing Attacks with Eviction Policies and Connection Limits
Applies To:
Show VersionsBIG-IP AFM
- 15.1.9, 15.1.8
Preventing Attacks with Eviction Policies and Connection Limits
What are eviction policies and connection limits?
An
eviction policy
provides the system with guidelines for how aggressively it
discards flows from the flow table. You can customize the eviction policy to prevent flow table
attacks, where a large number of slow flows are used to negatively impact system resources. You
can also set how the system responds to such flow problems in an eviction policy, and attach such
eviction policies globally, to route domains, and to virtual servers, to protect the system,
applications, and network segments with a high level of customization.A
connection limit
provides a hard limit to the number of connections allowed on a
virtual server or on a route domain. If you set such a limit, all connection attempts that exceed
this limit are not allowed.Task list
Create an eviction policy
You can create eviction policies to control the granularity and aggressiveness with
which the system discards flows.
- On the Main tab, click.
- ClickCreate.TheNew Eviction Policyscreen opens.
- In theNamefield, type a name for the eviction policy.
- In theTriggerfields, type a high and low water mark for the eviction policy.This measure specifies the percentage of the quota, for this context, before flow eviction starts (high water mark) and ends (low water mark).
- EnableSlow Flow Monitoringto monitor flows that are considered slow by the system, and specify the slow flow threshold in bytes per second.This combination of settings monitors the system for flows that fall below the slow flow threshold for more than 30 seconds.
- In theGrace Periodfield you can set a grace period, in seconds, between the detection of slow flows that meet the threshold requirement, and purging of slow flows according to theSlow Flow Throttlingsettings.
- In the Slow Flow Throttling area, set the slow flow throttling options.DisabledSlow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.AbsoluteSlow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.PercentSlow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows that exceed the specified monitoring setting, so the default value of 100% removes all slow flows that exceed the slow flow threshold, after the grace period.
- ForStrategies, configure the strategies that the eviction policy uses to remove flows by moving algorithms from theAvailablelist to theSelectedlist.
- ClickFinished.
The eviction policy appears in the Eviction Policy List.
To use an eviction policy, associate it with a
protected object or a route domain. You can configure a global eviction policy at
.Eviction policy strategy algorithms
This table lists the BIG-IP eviction policy algorithms and associated
configuration information.
In an eviction policy, you specify one or more algorithms, or any combination of algorithms, to
determine how traffic flows are dropped when the eviction policy threshold limits are reached.
Selected algorithms are processed at the same time as a combined strategy, not in a specific
order, so the combination of algorithms determines the final strategy used to remove flows.
This strategy biases or weights the final algorithm toward the outcomes you have selected,
though these choices are not absolute.
You must specify at least one algorithm to use to determine how traffic is dropped
with an eviction policy, otherwise flows are removed at random when the eviction policy
threshold is reached.
Algorithm |
Description |
---|---|
Bias Idle |
Biases flow removal toward the existing flows that have been idle,
with no payload bytes, for the longest. |
Bias Oldest |
Biases
flow removal toward the oldest existing flows. |
Bias Bytes |
Biases flow removal toward the flows with the fewest bytes. When this
algorithm is selected, add a value to the field Minimum Time
Delay in the Strategy Configuration area. This value
determines the period of time for which a flow is allowed to exist, at a
minimum, before it is subject to removal through the Bias Bytes
algorithm. |
Bias Fast |
Biases flow removal toward the fastest existing flows. |
Bias Slow |
Biases flow removal toward the slowest existing flows. |
Low Priority Route Domains |
Biases flow removal toward flows on low priority route domains. When
this algorithm is selected, use the Low Priority Route
Domains setting in the Strategy
Configuration area to move low priority route domains
from the Available list to the
Selected list. |
Low Priority Virtual Servers |
Biases flow removal toward flows on low priority virtual servers.
When this algorithm is selected, use the Low Priority Virtual
Servers setting in the Strategy
Configuration area to move low priority virtual servers
from the Available list to the
Selected list. |
Low Priority Countries |
Biases flow removal toward flows from lower priority countries. When
this algorithm is selected, in the Low Priority
Countries setting in the Strategy
Configuration area, select low priority countries from
the list and click Add to add them to the low
priority list. |
Low Priority Ports and Protocols |
Biases flow removal toward flows on low priority ports and protocols.
When this algorithm is selected, use the Low Priority Ports
and Protocols setting in the Strategy
Configuration area to add ports, protocols, and
combinations to the low priority ports and protocols list (you must also
specify a name). |
Limit global connections and flows
You must first create an eviction policy before you can assign one globally. The system
includes a global eviction policy, by default.
Assign global connection limits and an eviction policy to prevent possible attacks or
overflows on system flows.
- On the Main tab, click.The Local Traffic General settings screen opens.
- From theEviction Policylist, select the eviction policy to apply globally.The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy,default-eviction-policyis applied and selected in this field.
- ClickUpdateto apply the changes.The eviction policy is applied to the context.
Limit connections and flows on a virtual server
You must first create an eviction policy before you can assign one to a virtual
server.
Assign connection limits and an eviction policy to a virtual server to enact granular control
over possible attacks or overflows on system flows.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- From theConfigurationlist, selectAdvanced.
- In theConnection Limitfield, type a number that specifies the maximum number of concurrent open connections.
- From theEviction Policylist, select an eviction policy to apply to the virtual server.
- ClickUpdateto apply the changes.The eviction policy is applied to the context.
Limit connections and flows on a route domain
Before performing this task, confirm that you have a configured route domain, or use the
common route domain
0
. You must add VLANs to a route domain for the route
domain to effect traffic.Assign connection limits and an eviction policy to a route domain to enact granular control
over possible attacks or overflows on system flows.
- On the Main tab, click.The Route Domain List screen opens.
- In the Name column, click the name of the relevant route domain.
- In theConnection Limitfield, type the maximum number of concurrent connections allowed for the route domain. Setting this to0turns off connection limits. The default is0.
- From theEviction Policylist, select an eviction policy to apply to this route domain.
- ClickUpdate.The system displays the list of route domains on the BIG-IP system.
The route domain now applies the connection limit and eviction policy to flows and
connections.