Manual Chapter : Managing DoS Profiles in Shared Security

Applies To:

Show Versions Show Versions
Manual Chapter

Managing DoS Profiles in Shared Security

About DoS profiles

A
denial-of-service attack (DoS attack)
makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.
Using Shared Security, you can configure DoS profiles to help prevent network, SIP, and DNS DoS and DDoS attacks, and to detect and protect against DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic).
You can monitor DoS profiles using the
Monitoring
EVENTS
DoS
screens, and DDoS attack data using the
Monitoring
DASHBOARDS
DDoS
screens.

DoS profile considerations when deploying to BIG-IP device clusters

In some cases, deploying a configuration containing a DoS profile from BIG-IQ Centralized Management to a BIG-IP device cluster can cause the cluster to become unsynchronized. If that occurs, manually synchronize the BIG-IP device cluster. Then, reimport the BIG-IP system configuration to BIG-IQ Centralized Management, and select
Use BIG-IP
system as the operation to resolve any differences.

DoS profile considerations when managing multiple BIG-IP device versions

You use BIG-IQ Centralized Management to manage multiple BIG-IP devices which can have multiple versions. In most cases, this is handled seamlessly. However, in certain cases, objects differ significantly between BIG-IP device versions, and these objects require special handling when shared between BIG-IP device versions.
  • Address lists in DoS profiles
    DoS profiles that have address lists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later.
  • Whitelists in DoS profiles
    DoS profiles that have whitelists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later. In the BIG-IQ Centralized Management DoS Profile, you configure whitelists differently, based on the BIG-IP device version you are managing.
    • To use a DoS profile to manage a BIG-IP device version 12.1 or earlier, select a whitelist value using the
      IP Address Whitelist
      setting on the DoS Profile Application Security Properties screen.
    • To use a DoS profile to manage a BIG-IP device version 13.0 or later, select a whitelist value using the
      HTTP Whitelist
      setting on the DoS Profile Properties screen.
    Do not select a value for both the
    HTTP Whitelist
    and the
    IP Address Whitelist
    settings in the same DoS profile.

Create DoS profiles

You can create a DoS profile and configure the circumstances under which the system considers traffic to be a DoS attack, and how the system handles a DoS attack.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click
    Create
    .
  3. In the New DoS Profile screen, add and set the properties as appropriate.
  4. In the
    Name
    setting, specify a unique name for the DoS profile.
  5. In the
    Create from template
    setting, you can select pre-defined settings for Application Security:
    1. Select
      Default
      to enable general recommended settings for all required fields in Application Security.
    2. Select
      BADoS Support 14.1.x
      to enable recommended settings for all required fields in Behavioral & Stress-based Detection.
      Behavioral & Stress-based Detection template settings are recommended settings for BIG-IP versions 14.1 or later. This is not recommended for profiles attached to earlier BIG-IP versions.
    This template is only meant for DoS profiles on device version 14.1 or later. The template includes transparent protection against detected attacks.
  6. in the
    Description
    setting, specify an optional description for the DoS profile.
  7. In the
    Partition
    setting, specify the partition to which the DoS profile belongs. You can replace the default
    Common
    partition when creating DoS profiles by typing a unique name for a new partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  8. In the
    Application Templates
    setting, select whether the policy is available to application templates. To make this policy available to application templates, select
    Make available in Application Templates
    .
  9. In the
    Threshold Sensitivity
    setting, specify the threshold sensitivity for the DoS profile. Thresholds for detecting attacks are higher when sensitivity is
    Low
    , and lower when sensitivity is
    High
    .
    This property is not used with the Application Security protection type.
  10. In the
    Source IP Address Whitelist
    setting, specify the configuration of the Source IP address white list.
    This property is not used with the Application Security protection type.
  11. In the
    HTTP Whitelist
    setting, specify the HTTP whitelist to use.
    This setting is applied only to BIG-IP devices version 13.0, or later.
  12. Select and enable the one or more DoS protection types you want to use from the list on the left.
    Application Security
    Click
    Application Security
    Properties
    , then select the
    Application Security
    check box,
    Enabled
    .
    When enabled, this protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature. Supply or modify any necessary property values.
    Protocol DNS
    Click
    Protocol DNS
    , then select the
    Protocol DNS Protection
    check box,
    Enabled
    .
    When enabled, this protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature. Supply or modify any necessary property values.
    Protocol SIP
    Click
    Protocol SIP
    , then select the
    Protocol SIP Protection
    check box,
    Enabled
    .
    When enabled, this protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.
    Network
    Click
    Network
    , then select the
    Network Protection
    check box,
    Enabled
    .
    When enabled, this protects your server against network DoS attacks. Supply or modify any necessary property values.
  13. When you are finished, save your work.
The new DoS profile is added to the list of profiles.

Configure for application security

Your virtual server must include an HTTP profile to use the application security feature.
You can configure the conditions under which the system determines that your application is under a DoS attack, and how the system reacts to a suspected attack.
For application security it is recommended to configure only one DoS profile per application.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click the profile name to configure.
  3. On the left, click
    Application Security
    to expand the list.
  4. Click
    Properties
    to display the General Settings screen and configure the application security general settings.
    1. In the
      Application Security
      setting, select
      Enabled
      to use application security protection and display additional properties.
    2. In the
      IP Address Whitelist
      setting, specify the IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
      • To add an IP address to the whitelist, type it in the upper field, and click
        Add
        . The IP address is added to the whitelist in the lower field.
      • To delete an IP address from the whitelist, select the IP address from the whitelist in the lower field, and click
        Remove
        .
      Apply this setting only to BIG-IP devices earlier than version 13.0.
    3. In the
      Geolocations
      setting, specify that you want to override the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
      • To allow traffic from a country, select the country and move it to the Geolocation Whitelist.
      • To block traffic from a country, select the country and move it to the Geolocation Blacklist.
    4. In the
      Trigger iRule
      setting, enable this setting if you have an iRule that manages DoS events in a customized manner.
    5. In the
      Single Page Application
      setting, enable this setting if your website is a single page application.
    6. In the
      URL Patterns
      setting, configure the URL patterns to be used. Each URL pattern defines a set of URLs which are logically the same URL with the varying part of the pattern acting as a parameter, such as
      /product/*php
      • To add the URL pattern to the list, type the URL pattern and click
        Add
        .
      • To remove the URL pattern from the list, select the pattern from the URL Patterns list, and click
        Remove
        .
    7. In the
      Traffic Scrubbing
      setting, enable this setting if you want traffic scrubbing enabled during attacks by advertising BGP routes. This feature requires configuration of a scrubber profile. Change the
      Advertisement Duration
      value if needed.
    8. In the
      RTBH
      setting, enable this setting if you want to have remotely triggered black hole (RTBH) filtering of attacking BGP IPs by advertising BGP routes. This feature requires configuration of the blacklist publisher. Change the
      Advertisement Duration
      value if needed.
    9. In the
      Performance Acceleration
      setting, configure whether performance acceleration should be used.
      • To not use performance acceleration, select
        None
        .
      • To use performance acceleration, select the TCP fastL4 profile to be used as the fast-path for acceleration.
  5. To use the Proactive Bot Defense screen to configure those settings, click
    Proactive Bot Defense
    .
    Property
    Description
    Operation Mode
    Specifies the conditions under which the system detects and blocks bots. Select
    Off
    ,
    During Attacks
    , or
    Always
    . If
    Off
    is selected, no other settings are displayed on this tab.
    Block requests from suspicious browsers
    Strengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
    • Select the
      Block Suspicious Browsers
      check box to enable or disable blocking of suspicious browsers.
    • Select the
      CAPTCHA Challenge
      check box to enable or disable issuing a challenge. Click
      CAPTCHA Response Settings
      to select the responses to use.
    Grace Period
    Specifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or click
    Reset to Default
    to reset the value.
    Cross-Domain Requests
    You can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of the
    Cross-Domain Requests
    options.
    Related Site Domains
    Specifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clicking
    Add
    . Remove a domain by selecting it and clicking
    Remove
    .
    Related External Domains
    Specifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clicking
    Add
    . Remove a domain by selecting it in the text box and clicking
    Remove
    .
    URL Whitelist
    Specifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the whitelist by typing a URL in the text box and clicking
    Add
    . Remove a URL by selecting it and clicking
    Remove
    .
  6. To use the Bot Signatures screen to configure those settings, click
    Bot Signatures
    .
    Property
    Description
    Bot Signature Check
    Select
    Enabled
    to display settings. You cannot disable the
    Bot Signature Check
    property while
    Proactive Bot Detection
    ,
    TPS-based Detection
    with
    By Device ID
    selected, or
    Stress-based Detection
    with
    By Device ID
    selected, is enabled. To disable the
    Bot Signature Check
    property, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disabling
    Bot Signature Check
    , you can disable categories of bot signatures individually.
    Malicious Categories
    and
    Benign Categories
    These two category lists are handled similarly.
    For either category, select
    None
    ,
    Report
    , or
    Block
    . That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for the
    Malicious Categories
    or
    Benign Categories
    changes to
    Custom Configuration
    . A user cannot set all categories to
    None
    and keep
    Proactive Bot Defense
    enabled.
    Disabled Bot Signatures
    Specifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between the
    Available Signatures
    list and the
    Disabled Signatures
    list.
  7. To configure how mobile applications built with the Anti-Bot Mobile SDK are detected and to define how requests from mobile application clients are handled, click
    Mobile Applications
    .
    Property
    Description
    Mobile App Protection
    Select whether to enable mobile application DoS protection.
    • Select
      Enabled
      to enable configuration of mobile application DoS protection. When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the settings.
    • Do not select
      Enabled
      to have mobile application requests handled without DoS protection.
    iOS
    Specify the settings for iOS mobile applications.
    • To allow traffic on any iOS package, select
      Allow Any Package Name
      . A package name is the unique identifier of the mobile application, such as
      com.f5.app1
      .
    • To allow traffic from jailbroken iOS devices, select
      Allow Jailbroken Devices
      .
    • To allow traffic on specified packages, enter the iOS package names to allow, and click
      Add
      . To remove a package from the list, select the package and click
      Remove
      . This option is not available if you have chosen
      Allow Any Package Name
      . When set, all other packages will be blocked with the mobile application response page text.
    Android
    Specify the settings for Android mobile applications.
    • To allow any application publisher, select
      Allow Any Publisher
      . A publisher is identified by the certificate used to sign the application.
    • To allow traffic from rooted Android devices, select
      Allow Rooted Devices
      .
    • To allow traffic on specified packages, select publisher certificates from the Available publisher certificate list, and move them to the Assigned publisher certificates list. All other certificates will be blocked with the mobile application response page text. This option is not available if you have chosen
      Allow Any Publisher
      .
    Advanced
    Specify advanced handling of requests from mobile applications.
    • When a CAPTCHA or client side integrity challenge needs to be presented, select the action to take.
      • To have the traffic passed without incident, select
        Always passed
        .
      • To have the traffic challenged for human behavior, select
        Challenged for human behavior
        . When selected, the SDK checks for human interactions with the screen in the last few seconds. If none are detected, the traffic is blocked.
    • To allow traffic from applications that are run on emulators, select
      Allow Emulators
      .
  8. To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, click
    TPS-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects an attack, and can be
    Off
    ,
    Transparent
    , or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  9. To configure settings for the detection of DoS attacks based on server stress, click
    Behavioral and Stress-based Detection
    .
    By default, enabling Application Security under General Settings automatically populates all required fields for Behavioral and Stress-based Detection. You can customize the default configuration using the properties described in the table below.
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects a stress-based attack, and can be
    Off
    ,
    Transparent
    or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Detection and Mitigation
    Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use.
    • For the
      Bad actors behavior detection
      setting, select
      Enabled
      to perform traffic behavior, server capacity learning, and anomaly detection.
    • For the
      Request signatures detection
      setting, select
      Enabled
      to perform signature detection. Select
      Use approved signatures only
      to use only approved signatures.
    • For the
      Mitigation
      setting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  10. To configure settings for protecting heavy URLs during DoS attacks, click
    Heavy URL Protection
    .
    Heavy URLs are those which have a potential to cause stress on the server, even with a low TPS count.
    Property
    Description
    Automatic Detection
    Select
    Enabled
    to automatically detect heavy URLs of the application, in addition to the URLs entered manually.
    Heavy URLs
    You can configure a list of heavy URLs to protect in addition to the automatically detected ones. Type a URL in the top field, and click
    Add
    . Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and click
    Remove
    Ignored URLs
    You can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and click
    Add
    . To remove a URL from the list, select the URL from the text box, and click
    Remove
    Latency Threshold
    If
    Automatic Detection
    is enabled, set the
    Latency Threshold
    setting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is
    1000
    milliseconds. Click
    Reset to Default
    to reset the value to 1000.
  11. To define the responses to use when issuing a challenge, click
    CAPTCHA Response Settings
    .
    The exact format of a response body differs depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
    1. For the
      First Response Type
      , select
      Default
      to use the default response, or select
      Custom
      to create your own first response body by entering it into the
      First Response Body
      area.
      Here is an example first response body:
      This question is for testing whether you are a human visitor and to prevent automated spam submission. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
    2. For the
      Failure Response Type
      , select
      Default
      to use the default response or select
      Custom
      to create your own failure response body by entering it into the
      Failure Response Body
      area.
      Here is an example failure response body:
      You have entered an invalid answer for the question. Please, try again. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
  12. Click
    Record Traffic
    to configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have a
    pcap
    extension and are located in this path on the BIG-IP device:
    /shared/dosl7/tcpdumps
    .
    Property
    Description
    Record Traffic During Attacks
    Controls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. Select
    Enabled
    to specify that the system record traffic when a DoS attack is underway, and display settings.
    Maximum TCP Dump Duration
    Specifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.
    Maximum TCP Dump Size
    Specifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.
    TCP Dump Repetition
    Specifies whether the system performs one dump, or multiple dumps, for each DoS attack.
  13. Save your work.
The settings are incorporated into the DoS profile.

Configure for protocol DNS security

You can configure the conditions under which the system determines that your DNS server is under a DoS attack.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click
    Protocol DNS Security
    to display the Properties screen.
  4. On the Properties screen, select the
    Enabled
    check box for
    Protocol DNS Protection
    .
  5. To enable
    Protocol Errors Attack Detection
    , select the
    Enabled
    check box.
    This setting is ignored when deploying to BIG-IP devices with version 13.0 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    1. In the
      Rate increased by
      setting, specify that the system considers traffic to be an attack if the rate of requests increases above this number.
      By default, the system calculates this number every hour, and updates it every minute. The default is 500 percent.
    2. In the
      Rate threshold
      setting, specify the number of packets per second that must be exceeded to indicate to the system that there is an attack.
      The default is 250,000 packets per second.
    3. In the
      Rate limit
      setting, specify the limit in packets per second.
      The default is 2,500,000 packets per second.
  7. In the
    Enforcement
    setting in the Dynamic Signatures area, select the enforcement state for dynamic signatures. This setting is only available for BIG-IP devices version 13.1 or later.
    • To enable enforcement of dynamic DoS vectors, select
      Enabled
      . When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
    • To apply no action or thresholds to dynamic vectors, select
      Disabled
      .
    • To track dynamic vector statistics, without enforcing any thresholds or limits, select
      Learn-Only
      .
  8. In the
    Mitigation Sensitivity
    setting in the Dynamic Signatures area, specify the mitigation sensitivity for dynamic signatures (
    None
    ,
    Low
    ,
    Medium
    , or
    High
    ).
  9. At the bottom of the screen, review the list of known attack types and their current settings in the summary table.
    • Threshold Mode
      specifies how thresholds are set for this vector.
      • Fully Automatic
        indicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
      • Manual Detection/Auto Mitigation
        indicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
      • Fully Manual
        indicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
    • Detection Threshold EPS
      specifies how many packets per second the system must discover in traffic in order to detect this attack.
    • Detection Threshold Percent
      specifies the threshold percent the system must discover in traffic in order to detect this attack.
    • Mitigation Threshold EPS
      specifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
    • Bad Actor Detection
      specifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
    • Add Source Address to Category
      specifies that the source IP address be added to the blacklist category assigned to the DoS vector.
  10. Customize attack types individually, as needed:
    1. Click the name of the attack type to open the properties screen for it.
    2. On the attack type properties screen, select the
      State
      for how to enforce protection for the attack type.
      • Mitigate
        indicates watch, learn, alert, and mitigate protection is used.
      • Detect Only
        indicates watch, learn, and alert protection is used.
      • Learn Only
        indicates that stats should be collected with no mitigation.
      • Disabled
        indicates that there should be no stat collection and no mitigation.
      Selecting a state determines which detection settings are displayed.
    3. Supply values for the properties displayed to configure the protection for the attack type.
    4. Click
      OK
      .
    Refer to the BIG-IP system documentation,
    BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
    , for information on each attack type.
  11. Save your work.

Configure for protocol SIP security

Your virtual server must include a SIP (Session Initiation Protocol) profile to configure protocol SIP security in the DoS profile.
You can configure the conditions under which the system determines that your server, running SIP, is under a DoS attack.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click
    Protocol SIP Security
    to display the Protocol SIP Security Properties screen.
  4. On the Properties screen, select the
    Enabled
    check box for
    Protocol SIP Protection
    .
    The screen displays additional properties.
  5. To enable
    Protocol Errors Attack Detection
    , select the
    Enabled
    check box.
    This setting is ignored when deploying to BIG-IP devices with version 13.0 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    Setting
    Description
    Rate increased by
    Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
    Rate threshold
    Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
    Rate limit
    Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
  7. At the bottom of the screen, review the list of known attack types and their current settings in the summary table.
    • Threshold Mode
      specifies how thresholds are set for this vector.
      • Fully Automatic
        indicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
      • Manual Detection/Auto Mitigation
        indicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
      • Fully Manual
        indicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
    • Detection Threshold EPS
      specifies how many packets per second the system must discover in traffic in order to detect this attack.
    • Detection Threshold Percent
      specifies the threshold percent the system must discover in traffic in order to detect this attack.
    • Mitigation Threshold EPS
      specifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
    • Bad Actor Detection
      specifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
    • Add Source Address to Category
      specifies that the source IP address be added to the blacklist category assigned to the DoS vector.
  8. Customize attack types individually, as needed:
    1. Click the name of the attack type to open the properties screen for it.
    2. On the attack type properties screen, select the
      State
      for how to enforce protection for the attack type.
      • Mitigate
        indicates watch, learn, alert, and mitigate protection is used.
      • Detect Only
        indicates watch, learn, and alert protection is used.
      • Learn Only
        indicates that stats should be collected with no mitigation.
      • Disabled
        indicates that there should be no stat collection and no mitigation.
      Selecting a state determines which detection settings are displayed.
    3. Supply values for the properties displayed to configure the protection for the attack type.
    4. Click
      OK
      .
    Refer to the BIG-IP system documentation,
    BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
    , for information on each attack type.
  9. Save your work.

Configure for Network Security

You can configure the conditions under which the system determines that your server is under a network DoS attack.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click
    Network Security
    to display the Properties screen.
  4. On the Properties screen, select the check box for
    Network Protection
    .
    The screen displays an area for configuring dynamic signatures, and a list of commonly-known network attack types that the system can detect.
  5. In the
    Enforcement
    setting, select the enforcement state for dynamic signatures.
    This setting is available only for BIG-IP devices version 13.0 or later.
    • To enable enforcement of dynamic DoS vectors, select
      Enabled
      . When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
    • To apply no action or thresholds to dynamic vectors, select
      Disabled
      .
    • To track dynamic vector statistics, without enforcing any thresholds or limits, select
      Learn-Only
      .
  6. In the
    Mitigation Sensitivity
    setting, specify the mitigation sensitivity for dynamic signatures (
    None
    ,
    Low
    ,
    Medium
    , or
    High
    ).
  7. In the
    Redirection/Scrubbing
    setting, specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors.
    This enables handling of the dynamic vector hits by an IP intelligence category. Enabling redirection and scrubbing causes additional options to be displayed.
  8. In the
    Scrubbing Category
    setting, select the IP intelligence blacklist category to which scrubbed IP addresses are sent.
  9. In the
    Scrubbing Advertisement Time
    setting, type the duration in seconds for which an IP address is added to the blacklist category.
  10. At the bottom of the screen, review the Known Attack Types list that shows commonly known attack types that you want the system to detect in packets.
  11. Review the list of known attack types and their current settings in the summary table.
    • Threshold Mode
      specifies how thresholds are set for this vector.
      • Fully Automatic
        indicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
      • Manual Detection/Auto Mitigation
        indicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
      • Fully Manual
        indicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
    • Detection Threshold EPS
      specifies how many packets per second the system must discover in traffic in order to detect this attack.
    • Detection Threshold Percent
      specifies the threshold percent the system must discover in traffic in order to detect this attack.
    • Mitigation Threshold EPS
      specifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
    • Bad Actor Detection
      specifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
    • Add Source Address to Category
      specifies that the source IP address be added to the blacklist category assigned to the DoS vector.
  12. Customize attack types individually, as needed:
    1. Click the name of the attack type to open the properties screen for it.
    2. On the attack type properties screen, select the
      State
      for how to enforce protection for the attack type.
      • Mitigate
        indicates watch, learn, alert, and mitigate protection is used.
      • Detect Only
        indicates watch, learn, and alert protection is used.
      • Learn Only
        indicates that stats should be collected with no mitigation.
      • Disabled
        indicates that there should be no stat collection and no mitigation.
      Selecting a state determines which detection settings are displayed.
    3. Supply values for the properties displayed to configure the protection for the attack type.
    4. Click
      OK
      .
    Refer to the BIG-IP system documentation,
    BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
    , for information on each attack type.
  13. Save your work.

Edit DoS profiles

You can edit DoS profiles to fine tune what the system considers to be a DoS attack, and how the system handles a DoS attack.
  1. Click
    Configuration
    SECURITY
    Shared Security
    DoS Protection
    DoS Profiles
    .
  2. In the DoS Profiles screen, click the name of the profile to modify.
    This locks the profile for editing and opens the properties screen.
    For details, consult these topics:
    • Configure for application security
    • Configure for protocol DNS security
    • Configure for protocol SIP security
    • Configure for network security
  3. Make edits as needed for your configuration.
    The system saves edits as you make them.