Manual Chapter : Create a New DoS Profile

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Create a New DoS Profile

Creating a new DoS profile to improve application security

A denial of service attack (DoS attack) makes a resource unavailable to its intended users, or obstructs the communication media between the intended users and the site. A DoS profile allows you to define, monitor, and mitigate traffic patterns that threaten application security.
First, you create a new DoS profile that defines general properties of DoS protection. Once the profile is created, you can configure your profile to detect DoS attacks specific to application security. Application security can define DoS attacks based on either:
  • A high volume of incoming traffic (using
    TPS-based Detection
    settings)
  • Server stress (with
    Behavioral and Stress-based Detection
    settings)
You can assign your new DoS profile to one, or several applications and virtual servers that require DoS attack protection.

Create a DoS profile with application security

Before you can create a DoS profile, your virtual server must include an HTTP profile to use the application security feature.
You create a new DoS profile for your objects if you have not yet configured DoS protection, or if the current DoS profiles in the system do not meet the needs of your application or stand-alone virtual server.
  1. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  2. Click
    Create
    and select
    DoS Profile
    .
  3. In the New DoS Profile screen, add and set the properties as appropriate.
  4. Specify a unique
    Name
    for the DoS profile.
  5. To add a template that automatically populates the required fields for specific protection aspects of the DoS profile, select and option from
    Create from template
    .
    Certain template options have a minimum required BIG-IP device version. Ensure that you are creating a DoS profile for a device that meets these requirements.
  6. Specify an optional
    Description
    for the DoS profile.
  7. Specify the
    Partition
    to which the DoS profile belongs.
    You can replace the default
    Common
    partition when creating DoS profiles by typing a unique name for a new partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  8. If you want to make this policy available to application templates, for
    Application Templates
    select the
    Make available in Application Templates
    check box.
  9. Specify the
    Threshold Sensitivity
    for the DoS profile.
    Thresholds for detecting attacks are higher when sensitivity is
    Low
    , and lower when sensitivity is
    High
    .
    This property is not used with the Application Security protection type.
  10. In the
    Source IP Address Whitelist
    setting, specify the configuration of the Source IP address white list.
    This property is not used with the Application Security protection type.
  11. In the
    HTTP Whitelist
    setting, specify the HTTP whitelist to use.
    This setting is applied only to BIG-IP devices version 13.0, or later.
  12. At the left, click
    Application Security
    Properties
    , then select the
    Application Security
    Enabled
    check box,
    When enabled, this protects your web application against DoS attacks. Supply or modify any necessary values in the Properties settings. For information on the configuration process, refer to the
    Configure for application security
    topic in
    F5 BIG-IQ Centralized Management: Security
    on
    support.f5.com
    .
  13. To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, click
    TPS-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects an attack, and can be
    Off
    ,
    Transparent
    , or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  14. To configure settings for the detection of DoS attacks based on server stress, click
    Behavioral and Stress-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects a stress-based attack, and can be
    Off
    ,
    Transparent
    or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Detection and Mitigation
    Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use.
    • For the
      Bad actors behavior detection
      setting, select
      Enabled
      to perform traffic behavior, server capacity learning, and anomaly detection.
    • For the
      Request signatures detection
      setting, select
      Enabled
      to perform signature detection.
    • For signature detection before establishing a connection, select
      Accelerated signatures
      .
    • For system admin mitigation approval of detected signatures
      Use approved signatures only
      . This is an extra step that allows the administrator to manually approve detect signatures.
    • For the
      Mitigation
      setting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  15. When you are finished, save your work.
The new DoS profile is added to the list of profiles. At this point, you can add it to any object that requires a DoS profile.