Manual Chapter : Preventing Global DoS Sweep and Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.1.9, 15.1.8
Manual Chapter

Preventing Global DoS Sweep and Flood Attacks

Overview: Preventing DoS sweep and flood attacks

A sweep attack is a network scanning technique that sweeps your network by sending packets from a single host to multiple destination. The packet responses are then used to determine responsive hosts. Typical attacks use ICMP to accomplish this.
The sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also configure the sweep vector to automatically blacklist an IP address from which the sweep attack originates.
The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.
A
flood attack
is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm and prevent legitimate access the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to verify applications and send responses.
The flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.
The BIG-IP system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.
You can configure DoS sweep and flood prevention through DoS Protection >Device Configuration > Network Security.

Detect and protect against single endpoint DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose
    Network
    .
    The screen displays the network attack vectors.
  3. Click
    Single Endpoint Flood
    .
    The
    Single Endpoint Flood
    Properties pane opens on the right side of the screen.
  4. On the Properties pane, for
    State
    , select
    Mitigate
    .
  5. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the
    Packet Type
    area, select the packet types you want to detect for this attack type in the
    Available
    list, and move them to the
    Selected
    list.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps and logging to better track threats to your system.

Detect and protect against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP addresses that you detect perpetrating such attacks.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose
    Network
    .
    The screen displays the network attack vectors.
  3. Click
    Single Endpoint Sweep
    .
    The Single Endpoint Sweep Properties pane opens on the right side of the screen.
  4. On the Properties pane, for
    State
    , select
    Mitigate
    .
  5. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
    For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:
    Security
    Network Firewall
    IP Intelligence
    Policies
    . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  8. From the
    Category Name
    list, select a black list category to apply to automatically blacklisted addresses.
  9. In the
    Sustained Attack Detection Time
    field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  10. In the
    Category Duration Time
    field, specify the length of time in seconds that the address will remain on the blacklist. The default is
    14400
    seconds (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at
    Security
    Options
    External Redirection
    Blacklist Publisher
    .
  12. In the
    Packet Type
    area, select the packet types you want to detect for this attack type in the
    Available
    list, and move them to the
    Selected
    list.
Now you have configured the system to provide protection against DoS sweep attacks, to allow such attacks to be identified in system logs and reports, and to automatically add such attackers to a blacklist of your choice.
Configure SNMP traps and logging to better track threats to your system.

Detect and protect against UDP flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for UDP flood attacks.
  1. On the Main tab, click
    Security
    DoS Protection
    Device Protection
    .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose
    Network
    .
    The screen displays the network attack vectors.
  3. Click
    UDP Flood
    .
    The UDP Flood Properties pane opens on the right side of the screen.
  4. On the Properties pane, for
    State
    , select
    Mitigate
    .
  5. For
    Threshold Mode
    , select
    Fully Manual
    .
  6. From the
    Detection Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the
    Detection Threshold %
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  8. From the
    Mitigation Threshold EPS
    list, select
    Specify
    or
    Infinite
    .
    • Use
      Specify
      to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use
      Infinite
      to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  9. Click
    Simulate Auto Threshold
    to log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.
    This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select
    Fully Automatic
    for a vector.
  10. To detect IP address sources from which possible attacks originate, enable
    Bad Actor Detection
    .
    Bad Actor Detection is not available for every vector.
  11. In the
    Per Source IP Detection Threshold EPS
    field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the
    Per Source IP Mitigation Threshold EPS
    field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select
    Add Source Address to Category
    .
    For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy:
    Security
    Network Firewall
    IP Intelligence
    Policies
    . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  14. From the
    Category Name
    list, select a black list category to apply to automatically blacklisted addresses.
  15. In the
    Sustained Attack Detection Time
    field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  16. In the
    Category Duration Time
    field, specify the length of time in seconds that the address will remain on the blacklist. The default is
    14400
    seconds (4 hours).
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select
    Allow External Advertisement
    .
    To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at
    Security
    Options
    External Redirection
    Blacklist Publisher
    .
  18. For automatic blacklisting, click
    Attacked Destination Detection
    , and configure the additional settings as for Bad Actor Detection.
  19. From the
    Port List Type
    list, select
    Include All Ports
    or
    Exclude All Ports
    .
    An
    Include
    list checks all the ports you specify in the Port List, using the specified threshold criteria, and ignores all others.
    An
    Exclude
    list excludes all the ports you specify in the Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  20. In the
    UDP Port List
    area, type a port number to add to an exclude or include UDP port list.
  21. In the
    UDP Port List
    area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None
      does not include or exclude the port.
    • Source only
      includes or excludes the source port.
    • Destination only
      includes or excludes the destination port.
    • Both Source and Destination
      includes or excludes both the source and destination ports.
You have now configured the system to provide customized protection against UDP flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps and logging to better track threats to your system.