Manual Chapter :
Configuring DoS Policy Switching
Applies To:
Show Versions
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Configuring DoS Policy Switching
Overview: Configuring DoS policy switching
You can configure the BIG-IP system to protect against Layer 7 DoS
attacks applying unique profiles in different situations, or on different types of traffic.
In this example, you configure DoS protection for Layer 7 by creating two DoS profiles with
Application Security enabled. You associate the DoS profiles with virtual servers representing
the applications that you want to protect. You also create a local traffic policy with rules that
assign different DoS protections depending on the traffic. Then you associate the local traffic
policy with the virtual servers.
This example divides traffic into three categories:
- Employees: A unique DoS profile, assigned to employees, reports DoS attacks but does not drop connections when there is an attack.
- Internal users: No DoS protection is applied to internal users.
- Others: The strictest DoS protection is applied using the default DoS profile for all other users; the system blocks DoS attacks that occur on other traffic.
Many other options are available for configuring DoS policy switching. This is simply one way
to illustrate how you can configure multiple DoS protections using a local traffic policy to
determine different conditions and actions. By following the steps in this example, you can see
the other options that are available on the screens, and can adjust the example for your
needs.
Task Summary
About DoS protection
and local traffic policies
To provide additional flexibility for configuring DoS protection, you can
use local traffic policies together with DoS protection. The advantage of creating local traffic
policies is that you can apply multiple DoS protection policies to different types of traffic,
using distinct DoS profiles. However, you need to be aware of certain considerations when using
this method.
Local traffic policies can include multiple rules. Each rule consists of a
condition and a set of actions to be performed if the respective condition holds. So you can
create a local traffic policy that controls Layer 7 DoS protection and includes multiple rules.
If you do, every rule must include one of the following Layer 7 DoS actions:
- Enable DoS protection using the default DoS profile (/Common/dos)
- Enable DoS protection from a specific DoS profile
- Disable DoS protection
Make
sure that the local traffic policy with DoS protection includes a default rule with no condition
that applies to traffic that does not match any other rule. In addition, be sure that each rule
(including the default one), has an L7 DoS action in it, possibly in addition to other
actions.
A default rule is required because the local traffic policy action applies
not only to the request that matched the condition, but also to the following requests in the
same TCP connection, even if they do not match the condition that triggered the action unless
subsequent requests on the same connection match a different rule with a different L7 DoS action.
This requirement ensures that every request will match some rule (even the
default one), and will trigger a reasonable Layer 7 DoS action. This way a request will not
automatically enforce the action of the previous request on the same connection, which can yield
unexpected results.
A typical action for the default rule in case of Layer 7 DoS is to create a
rule with no condition and simply enable DoS protection. In this case, the action the rule takes
is to use the DoS policy attached to the virtual server. In the example of configuring DoS policy
switching, the third rule,
others
, is
the default rule.Creating a DoS profile for Layer 7 traffic
To define the circumstances under which the system considers traffic to be a Denial
of Service (DoS attack), you create a DoS profile. For the DoS policy switching example,
you can create a special DoS profile, for employees, that does not block traffic. It
only reports the DoS attack.
- On the Main tab, click .The Protection Profiles list screen opens.
- ClickCreate.The Create New DoS Profile screen opens.
- In theNamefield, typeemployee_l7dos_profilefor the profile, then clickFinished.
- In the list of DoS profiles, click the name of the profile you just created, and click theApplication Securitytab.
- On the left, under Application Security, clickGeneral Settings, and ensure thatApplication Securityis enabled.The screen displays additional settings.
- On the left, under Application Security, clickTPS-based Detection.The screen displays TPS-based DoS Detection settings.
- ForOperation Mode, select the option to determine how the system reacts when it detects a DoS attack.TransparentDisplays data about DoS attacks on the DoS reporting screens, but does not block requests, or perform any of the mitigations.BlockingApplies the necessary mitigation steps to suspicious IP addresses, geolocations, URLs, or the entire site. Also displays information about DoS attacks on the DoS reporting screens.SelectOffto turn this type of DoS Detection off.The screen displays additional configuration settings when you select an operation mode.
- Use the default values for the other settings.
- ClickUpdateto save the DoS profile.
You have now created a simple DoS profile to report DoS attacks based on transaction
rates using TPS-based DoS protection.
Modifying the default DoS profile
The BIG-IP system includes a default DoS profile that you can
modify to specify when to use DoS protection. For the DoS policy switching example, you
can modify the default DoS profile and use it for people other than employees or
internal users who are accessing applications. This example creates a strict default DoS
profile that drops requests considered to be an attack.
- On the Main tab, click .The Protection Profiles list screen opens.
- Click the profile calleddos, and click theApplication Securitytab.The DoS Profile Properties screen opens.
- On the left, under Application Security, clickGeneral Settings, and ensure thatApplication Securityis enabled.The screen displays additional settings.
- On the left, under Application Security, clickTPS-based Detection.The screen displays TPS-based DoS Detection settings.
- In the TPS-based DoS Detection settings, ensure that theOperation Modeis set toBlocking.
- On the left, under Application Security, clickBehavioral & Stress-based Detection.The screen displays Behavioral & Stress-based DoS Detection settings.
- In the Behavioral & Stress-based Detection settings, edit theOperation Mode, and selectBlocking.
- Use the default values for the other settings.
- ClickUpdateto save the DoS profile.
You have now modified the default DoS profile that will be used for people other
than employees or internal users. For these users, the system drops connections from
attacking IP addresses, and for requests directed to attacked URLs.
Creating a local traffic policy for DoS policy switching
You can create a local traffic policy to impose different levels of DoS protection
on distinct types of Layer 7 traffic.
- On the Main tab, click .
- ClickCreate.The New Policy screen opens.
- In thePolicy Namefield, type a name for the local traffic policy.
- From theStrategylist, selectfirst.The system applies the first rule that matches the criteria specified.
- If you see aTypesetting, leave it set toTraffic Policy.
- ClickCreate Policyto create the local traffic policy.
- ClickSave Draftto save the local traffic policy.
You have now created a draft local traffic policy, but it does not direct traffic
yet.
Next, you need to add rules to the local traffic policy to specify the DoS
protection that should occur for different types of Layer 7 traffic.
Creating policy rules for DoS policy switching
Before you can add rules to the local traffic policy, you need to have created the
policy, and it must be in draft form. For this example, you need two DoS profiles that
enable Application Security and perform DoS protection: one for employees,
employee_l7dos_profile
, and another for other people
accessing the system not internally (enable Application Security
on the default dos
profile).You can add rules to define conditions and perform specific actions for different
types of Layer 7 traffic. This example creates three rules to implement different DoS
protection for employees, for internal personnel, and for others.
- On the Main tab, click .
- Click the name of the draft local traffic policy that you want to control Layer 7 DoS.
- In the Rules area, clickCreate.The New Rule screen opens.
- Create a rule to define DoS protection for employees:
- In theNamefield, type the nameemployees.
- In the Match all of the following conditions area, click +.
- In the same area, from the lists, selectHTTP Host,host, andends with; then, afterany of, in the lower field, typeemployee.my_host.com, and clickAdd.
- To specify a unique DoS profile for employees, in the Do the following when the traffic is matched area, selectEnable,l7dos, then afterfrom profile, selectemployee_l7dos_profile(or a previously created custom DoS profile).
- ClickSaveto add the rule to the policy.
- Create a rule to define DoS protection for internal personnel:
- In theNamefield, type the nameinternal.
- In the Match all of the following conditions area, click +.
- In the same area, from the lists selectHTTP Host,host, andends with; then, afterany of, in the lower field, typeinternal.my_host.com, and clickAdd.
- To turn off DoS protection for employees working internally, in the Do the following when the traffic is matched area, selectDisableandl7dos.
- ClickSaveto add the rule to the policy.
- Create a rule to define DoS protection for anyone else not handled by the first two rules:
- In theNamefield, type the nameothers.
- Leave Match all of the following conditions set toAll traffic.
- To specify DoS protection for all others, in the Do the following when the traffic is matched area, selectEnable,l7dos, then afterfrom profile, selectdos(or a previously created custom DoS profile).
- ClickSaveto add the rule to the policy.
This last rule is the default rule, which applies if the other two rules do not apply. If you do not include a rule like this, and traffic does not match any other rule, the previous rule that was applied is used again. - ClickSave Draftto save the draft local traffic policy with the rules.The Policy List Page opens.
- Select the check box next to the draft policy you edited, and clickPublish.
You have now created and published a local traffic policy that defines DoS
protection for employees, for internal traffic, and for others.
Next, you need to associate the DoS profiles and the local traffic policy with the
virtual server that connects to the application server you are protecting.
Apply a protection profile to a protected object
You must add the DoS protection profile to the protected
object to provide enhanced protection from DoS attacks, and track anomalous activity on the
BIG-IP system.
- On the Main tab, click .
- Click the name of the protected object (virtual server) to which you want to assign a protection profile.The Properties pane opens on the right.
- In the Protection Settings area, from theProtection Profilelist, select the name of the protection profile to assign.Ensure a Service Profile is selected to enable the protected object to process application traffic.
- ClickSave.
The DoS protection
profile is associated with the protected object and DoS protection is now enabled.
Associating a
published local traffic policy with a virtual server
After you publish a local traffic policy, you
associate that published policy with the virtual server created to handle application
traffic.
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- On the menu bar, clickResources.
- In the Policies area, click theManagebutton.
- For thePoliciessetting, select the local traffic policy you created from theAvailablelist and move it to theEnabledlist.
- ClickFinished.
The published policy is associated with the virtual server.
Implementation results
When you have completed the steps in this implementation, you have configured the Application Security Manager™ to protect against Layer 7 DoS attacks. By using a
local traffic policy, you distinguished between three types of traffic: employees, internal
users, and others.
The first rule in the local traffic policy identifies employees by the last line of the host header in the request, which says
employee.my_host.com
. You created a special DoS profile for employees that reports transaction-based DoS attacks but does not drop connections. The second rule in the local traffic policy identifies internal users by the last line of the host header in the request, which says
internal.my_host.com
. In the policy, you specified that there should be no DoS protection for internal users.A third rule acts as the default rule and applies to any traffic that was not identified by the
first two rules. All other traffic uses the default DoS profile (
dos
)
assigned on the Security tab of the virtual server where traffic is directed to the application.
You modified the default DoS profile to block transaction-based and server stress-based DoS
attacks that the system detects.After creating the local traffic policy with Layer 7 DoS rules, you also associated it with
the virtual server. Different types of traffic directed to the virtual server now have distinct
DoS protections assigned to them.
