Manual Chapter :
Managing DoS Profiles in Shared Security
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing DoS Profiles in Shared Security
About DoS profiles
A
denial-of-service attack (DoS attack)
makes a victim's resource unavailable to its intended users, or obstructs the communication
media between the intended users and the victimized site so that they can no longer
communicate adequately. Perpetrators of DoS attacks typically target sites or services, such
as banks, credit card payment gateways, and e-commerce web sites.Using Shared Security, you can configure DoS profiles to help prevent
network, SIP, and DNS DoS and DDoS attacks, and to detect and protect against DoS (Denial of
Service) attacks aimed at the resources that are used for serving the application (the web
server, web framework, and the application logic).
You can monitor DoS profiles using the
screens, and DDoS attack data using the screens.DoS profile
considerations when deploying to BIG-IP device clusters
In some cases, deploying a configuration containing a DoS profile from
BIG-IQ Centralized Management to a BIG-IP device cluster can cause the cluster to
become unsynchronized. If that occurs, manually synchronize the BIG-IP device cluster. Then,
reimport the BIG-IP system configuration to BIG-IQ Centralized Management, and select
Use BIG-IP
system as the
operation to resolve any differences.DoS profile
considerations when managing multiple BIG-IP device versions
You use BIG-IQ Centralized Management to manage multiple BIG-IP devices
which can have multiple versions. In most cases, this is handled seamlessly. However, in
certain cases, objects differ significantly between BIG-IP device versions, and these
objects require special handling when shared between BIG-IP device versions.
- Address lists in DoS profilesDoS profiles that have address lists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later.
- Whitelists in DoS profilesDoS profiles that have whitelists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later. In the BIG-IQ Centralized Management DoS Profile, you configure whitelists differently, based on the BIG-IP device version you are managing.
- To use a DoS profile to manage a BIG-IP device version 12.1 or earlier, select a whitelist value using theIP Address Whitelistsetting on the DoS Profile Application Security Properties screen.
- To use a DoS profile to manage a BIG-IP device version 13.0 or later, select a whitelist value using theHTTP Whitelistsetting on the DoS Profile Properties screen.
Do not select a value for both theHTTP Whitelistand theIP Address Whitelistsettings in the same DoS profile.
Create DoS profiles
You can create a DoS profile and
configure the circumstances under which the system considers traffic to be a DoS attack,
and how the system handles a DoS attack.
- Click.
- In the DoS Profiles screen, clickCreate.
- In the New DoS Profile screen, add and set the properties as appropriate.
- In theNamesetting, specify a unique name for the DoS profile.
- In theCreate from templatesetting, you can select pre-defined settings for Application Security:
- SelectDefaultto enable general recommended settings for all required fields in Application Security.
- SelectBADoS Support 14.1.xto enable recommended settings for all required fields in Behavioral & Stress-based Detection.Behavioral & Stress-based Detection template settings are recommended settings for BIG-IP versions 14.1 or later. This is not recommended for profiles attached to earlier BIG-IP versions.
This template is only meant for DoS profiles on device version 14.1 or later. The template includes transparent protection against detected attacks. - in theDescriptionsetting, specify an optional description for the DoS profile.
- In thePartitionsetting, specify the partition to which the DoS profile belongs. You can replace the defaultCommonpartition when creating DoS profiles by typing a unique name for a new partition.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- In theApplication Templatessetting, select whether the policy is available to application templates. To make this policy available to application templates, selectMake available in Application Templates.
- In theThreshold Sensitivitysetting, specify the threshold sensitivity for the DoS profile. Thresholds for detecting attacks are higher when sensitivity isLow, and lower when sensitivity isHigh.This property is not used with the Application Security protection type.
- In theSource IP Address Whitelistsetting, specify the configuration of the Source IP address white list.This property is not used with the Application Security protection type.
- In theHTTP Whitelistsetting, specify the HTTP whitelist to use.This setting is applied only to BIG-IP devices version 13.0, or later.
- Select and enable the one or more DoS protection types you want to use from the list on the left.Application SecurityClick, then select theApplication Securitycheck box,Enabled.When enabled, this protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature. Supply or modify any necessary property values.Protocol DNSClickProtocol DNS, then select theProtocol DNS Protectioncheck box,Enabled.When enabled, this protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature. Supply or modify any necessary property values.Protocol SIPClickProtocol SIP, then select theProtocol SIP Protectioncheck box,Enabled.When enabled, this protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.NetworkClickNetwork, then select theNetwork Protectioncheck box,Enabled.When enabled, this protects your server against network DoS attacks. Supply or modify any necessary property values.
- When you are finished, save your work.
The new DoS profile is added to the
list of profiles.
Configure for application security
Your virtual server must include an HTTP profile to use the application security
feature.
You can configure the conditions under which the
system determines that your application is under a DoS attack, and how the system reacts
to a suspected attack.
For application security it is recommended to configure only one DoS profile per
application.
- Click.
- In the DoS Profiles screen, click the profile name to configure.
- On the left, clickApplication Securityto expand the list.
- ClickPropertiesto display the General Settings screen and configure the application security general settings.
- In theApplication Securitysetting, selectEnabledto use application security protection and display additional properties.
- In theIP Address Whitelistsetting, specify the IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
- To add an IP address to the whitelist, type it in the upper field, and clickAdd. The IP address is added to the whitelist in the lower field.
- To delete an IP address from the whitelist, select the IP address from the whitelist in the lower field, and clickRemove.
- In theGeolocationssetting, specify that you want to override the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
- To allow traffic from a country, select the country and move it to the Geolocation Whitelist.
- To block traffic from a country, select the country and move it to the Geolocation Blacklist.
- In theTrigger iRulesetting, enable this setting if you have an iRule that manages DoS events in a customized manner.
- In theSingle Page Applicationsetting, enable this setting if your website is a single page application.
- In theURL Patternssetting, configure the URL patterns to be used. Each URL pattern defines a set of URLs which are logically the same URL with the varying part of the pattern acting as a parameter, such as/product/*php
- To add the URL pattern to the list, type the URL pattern and clickAdd.
- To remove the URL pattern from the list, select the pattern from the URL Patterns list, and clickRemove.
- In theTraffic Scrubbingsetting, enable this setting if you want traffic scrubbing enabled during attacks by advertising BGP routes. This feature requires configuration of a scrubber profile. Change theAdvertisement Durationvalue if needed.
- In theRTBHsetting, enable this setting if you want to have remotely triggered black hole (RTBH) filtering of attacking BGP IPs by advertising BGP routes. This feature requires configuration of the blacklist publisher. Change theAdvertisement Durationvalue if needed.
- In thePerformance Accelerationsetting, configure whether performance acceleration should be used.
- To not use performance acceleration, selectNone.
- To use performance acceleration, select the TCP fastL4 profile to be used as the fast-path for acceleration.
- To use the Proactive Bot Defense screen to configure those settings, clickProactive Bot Defense.PropertyDescriptionOperation ModeSpecifies the conditions under which the system detects and blocks bots. SelectOff,During Attacks, orAlways. IfOffis selected, no other settings are displayed on this tab.Block requests from suspicious browsersStrengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
- Select theBlock Suspicious Browserscheck box to enable or disable blocking of suspicious browsers.
- Select theCAPTCHA Challengecheck box to enable or disable issuing a challenge. ClickCAPTCHA Response Settingsto select the responses to use.
Grace PeriodSpecifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or clickReset to Defaultto reset the value.Cross-Domain RequestsYou can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of theCross-Domain Requestsoptions.Related Site DomainsSpecifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clickingAdd. Remove a domain by selecting it and clickingRemove.Related External DomainsSpecifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clickingAdd. Remove a domain by selecting it in the text box and clickingRemove.URL WhitelistSpecifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the whitelist by typing a URL in the text box and clickingAdd. Remove a URL by selecting it and clickingRemove. - To use the Bot Signatures screen to configure those settings, clickBot Signatures.PropertyDescriptionBot Signature CheckSelectEnabledto display settings. You cannot disable theBot Signature Checkproperty whileProactive Bot Detection,TPS-based DetectionwithBy Device IDselected, orStress-based DetectionwithBy Device IDselected, is enabled. To disable theBot Signature Checkproperty, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disablingBot Signature Check, you can disable categories of bot signatures individually.Malicious CategoriesandBenign CategoriesThese two category lists are handled similarly.For either category, selectNone,Report, orBlock. That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for theMalicious CategoriesorBenign Categorieschanges toCustom Configuration. A user cannot set all categories toNoneand keepProactive Bot Defenseenabled.Disabled Bot SignaturesSpecifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between theAvailable Signatureslist and theDisabled Signatureslist.
- To configure how mobile applications built with the Anti-Bot Mobile SDK are detected and to define how requests from mobile application clients are handled, clickMobile Applications.PropertyDescriptionMobile App ProtectionSelect whether to enable mobile application DoS protection.
- SelectEnabledto enable configuration of mobile application DoS protection. When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the settings.
- Do not selectEnabledto have mobile application requests handled without DoS protection.
iOSSpecify the settings for iOS mobile applications.- To allow traffic on any iOS package, selectAllow Any Package Name. A package name is the unique identifier of the mobile application, such ascom.f5.app1.
- To allow traffic from jailbroken iOS devices, selectAllow Jailbroken Devices.
- To allow traffic on specified packages, enter the iOS package names to allow, and clickAdd. To remove a package from the list, select the package and clickRemove. This option is not available if you have chosenAllow Any Package Name. When set, all other packages will be blocked with the mobile application response page text.
AndroidSpecify the settings for Android mobile applications.- To allow any application publisher, selectAllow Any Publisher. A publisher is identified by the certificate used to sign the application.
- To allow traffic from rooted Android devices, selectAllow Rooted Devices.
- To allow traffic on specified packages, select publisher certificates from the Available publisher certificate list, and move them to the Assigned publisher certificates list. All other certificates will be blocked with the mobile application response page text. This option is not available if you have chosenAllow Any Publisher.
AdvancedSpecify advanced handling of requests from mobile applications.- When a CAPTCHA or client side integrity challenge needs to be presented, select the action to take.
- To have the traffic passed without incident, selectAlways passed.
- To have the traffic challenged for human behavior, selectChallenged for human behavior. When selected, the SDK checks for human interactions with the screen in the last few seconds. If none are detected, the traffic is blocked.
- To allow traffic from applications that are run on emulators, selectAllow Emulators.
- To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, clickTPS-based Detection.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects an attack, and can beOff,Transparent, orBlocking. If set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - To configure settings for the detection of DoS attacks based on server stress, clickBehavioral and Stress-based Detection.By default, enabling Application Security under General Settings automatically populates all required fields for Behavioral and Stress-based Detection. You can customize the default configuration using the properties described in the table below.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects a stress-based attack, and can beOff,TransparentorBlocking. If set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Behavioral Detection and MitigationSpecifies the mitigation behavior, and when enabled, the selected level of mitigation to use.- For theBad actors behavior detectionsetting, selectEnabledto perform traffic behavior, server capacity learning, and anomaly detection.
- For theRequest signatures detectionsetting, selectEnabledto perform signature detection. SelectUse approved signatures onlyto use only approved signatures.
- For theMitigationsetting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - To configure settings for protecting heavy URLs during DoS attacks, clickHeavy URL Protection.Heavy URLs are those which have a potential to cause stress on the server, even with a low TPS count.PropertyDescriptionAutomatic DetectionSelectEnabledto automatically detect heavy URLs of the application, in addition to the URLs entered manually.Heavy URLsYou can configure a list of heavy URLs to protect in addition to the automatically detected ones. Type a URL in the top field, and clickAdd. Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and clickRemoveIgnored URLsYou can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and clickAdd. To remove a URL from the list, select the URL from the text box, and clickRemoveLatency ThresholdIfAutomatic Detectionis enabled, set theLatency Thresholdsetting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is1000milliseconds. ClickReset to Defaultto reset the value to 1000.
- To define the responses to use when issuing a challenge, clickCAPTCHA Response Settings.The exact format of a response body differs depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
- For theFirst Response Type, selectDefaultto use the default response, or selectCustomto create your own first response body by entering it into theFirst Response Bodyarea.Here is an example first response body:This question is for testing whether you are a human visitor and to prevent automated spam submission. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
- For theFailure Response Type, selectDefaultto use the default response or selectCustomto create your own failure response body by entering it into theFailure Response Bodyarea.Here is an example failure response body:You have entered an invalid answer for the question. Please, try again. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
- ClickRecord Trafficto configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have apcapextension and are located in this path on the BIG-IP device:/shared/dosl7/tcpdumps.PropertyDescriptionRecord Traffic During AttacksControls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. SelectEnabledto specify that the system record traffic when a DoS attack is underway, and display settings.Maximum TCP Dump DurationSpecifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.Maximum TCP Dump SizeSpecifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.TCP Dump RepetitionSpecifies whether the system performs one dump, or multiple dumps, for each DoS attack.
- Save your work.
The settings are incorporated into the DoS profile.
Configure for protocol DNS
security
You can configure the conditions
under which the system determines that your DNS server is under a DoS attack.
- Click.
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, clickProtocol DNS Securityto display the Properties screen.
- On the Properties screen, select theEnabledcheck box forProtocol DNS Protection.
- To enableProtocol Errors Attack Detection, select theEnabledcheck box.This setting is ignored when deploying to BIG-IP devices with version 13.0 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
- Specify the adjustable settings as necessary for your configuration.The system saves settings as you enter them.
- In theRate increased bysetting, specify that the system considers traffic to be an attack if the rate of requests increases above this number.By default, the system calculates this number every hour, and updates it every minute. The default is 500 percent.
- In theRate thresholdsetting, specify the number of packets per second that must be exceeded to indicate to the system that there is an attack.The default is 250,000 packets per second.
- In theRate limitsetting, specify the limit in packets per second.The default is 2,500,000 packets per second.
- In theEnforcementsetting in the Dynamic Signatures area, select the enforcement state for dynamic signatures. This setting is only available for BIG-IP devices version 13.1 or later.
- To enable enforcement of dynamic DoS vectors, selectEnabled. When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
- To apply no action or thresholds to dynamic vectors, selectDisabled.
- To track dynamic vector statistics, without enforcing any thresholds or limits, selectLearn-Only.
- In theMitigation Sensitivitysetting in the Dynamic Signatures area, specify the mitigation sensitivity for dynamic signatures (None,Low,Medium, orHigh).
- At the bottom of the screen, review the list of known attack types and their current settings in the summary table.
- Threshold Modespecifies how thresholds are set for this vector.
- Fully Automaticindicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
- Manual Detection/Auto Mitigationindicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
- Fully Manualindicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
- Detection Threshold EPSspecifies how many packets per second the system must discover in traffic in order to detect this attack.
- Detection Threshold Percentspecifies the threshold percent the system must discover in traffic in order to detect this attack.
- Mitigation Threshold EPSspecifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
- Bad Actor Detectionspecifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
- Add Source Address to Categoryspecifies that the source IP address be added to the blacklist category assigned to the DoS vector.
- Customize attack types individually, as needed:
- Click the name of the attack type to open the properties screen for it.
- On the attack type properties screen, select theStatefor how to enforce protection for the attack type.
- Mitigateindicates watch, learn, alert, and mitigate protection is used.
- Detect Onlyindicates watch, learn, and alert protection is used.
- Learn Onlyindicates that stats should be collected with no mitigation.
- Disabledindicates that there should be no stat collection and no mitigation.
- Supply values for the properties displayed to configure the protection for the attack type.
- ClickOK.
Refer to the BIG-IP system documentation,BIG-IP Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type. - Save your work.
Configure for protocol SIP
security
Your virtual server must include a SIP (Session Initiation Protocol) profile to
configure protocol SIP security in the DoS profile.
You can configure the conditions under which the
system determines that your server, running SIP, is under a DoS attack.
- Click.
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, clickProtocol SIP Securityto display the Protocol SIP Security Properties screen.
- On the Properties screen, select theEnabledcheck box forProtocol SIP Protection.The screen displays additional properties.
- To enableProtocol Errors Attack Detection, select theEnabledcheck box.This setting is ignored when deploying to BIG-IP devices with version 13.0 or later. When the configuration with this setting is changed and then evaluated, the setting will show as a difference until the configuration is re-imported from the BIG-IP device.
- Specify the adjustable settings as necessary for your configuration.The system saves settings as you enter them.SettingDescriptionRate increased bySpecifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.Rate thresholdSpecifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.Rate limitSpecifies the limit in packets per second. The default setting is 2,500,000 packets per second.
- At the bottom of the screen, review the list of known attack types and their current settings in the summary table.
- Threshold Modespecifies how thresholds are set for this vector.
- Fully Automaticindicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
- Manual Detection/Auto Mitigationindicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
- Fully Manualindicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
- Detection Threshold EPSspecifies how many packets per second the system must discover in traffic in order to detect this attack.
- Detection Threshold Percentspecifies the threshold percent the system must discover in traffic in order to detect this attack.
- Mitigation Threshold EPSspecifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
- Bad Actor Detectionspecifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
- Add Source Address to Categoryspecifies that the source IP address be added to the blacklist category assigned to the DoS vector.
- Customize attack types individually, as needed:
- Click the name of the attack type to open the properties screen for it.
- On the attack type properties screen, select theStatefor how to enforce protection for the attack type.
- Mitigateindicates watch, learn, alert, and mitigate protection is used.
- Detect Onlyindicates watch, learn, and alert protection is used.
- Learn Onlyindicates that stats should be collected with no mitigation.
- Disabledindicates that there should be no stat collection and no mitigation.
- Supply values for the properties displayed to configure the protection for the attack type.
- ClickOK.
Refer to the BIG-IP system documentation,BIG-IP Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type. - Save your work.
Configure for Network Security
You can configure the conditions
under which the system determines that your server is under a network DoS
attack.
- Click.
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, clickNetwork Securityto display the Properties screen.
- On the Properties screen, select the check box forNetwork Protection.The screen displays an area for configuring dynamic signatures, and a list of commonly-known network attack types that the system can detect.
- In theEnforcementsetting, select the enforcement state for dynamic signatures.This setting is available only for BIG-IP devices version 13.0 or later.
- To enable enforcement of dynamic DoS vectors, selectEnabled. When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
- To apply no action or thresholds to dynamic vectors, selectDisabled.
- To track dynamic vector statistics, without enforcing any thresholds or limits, selectLearn-Only.
- In theMitigation Sensitivitysetting, specify the mitigation sensitivity for dynamic signatures (None,Low,Medium, orHigh).
- In theRedirection/Scrubbingsetting, specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors.This enables handling of the dynamic vector hits by an IP intelligence category. Enabling redirection and scrubbing causes additional options to be displayed.
- In theScrubbing Categorysetting, select the IP intelligence blacklist category to which scrubbed IP addresses are sent.
- In theScrubbing Advertisement Timesetting, type the duration in seconds for which an IP address is added to the blacklist category.
- At the bottom of the screen, review the Known Attack Types list that shows commonly known attack types that you want the system to detect in packets.
- Review the list of known attack types and their current settings in the summary table.
- Threshold Modespecifies how thresholds are set for this vector.
- Fully Automaticindicates that automatic thresholds are used to mitigate DDoS attacks based on server stress.
- Manual Detection/Auto Mitigationindicates that you set thresholds manually. However, the system also automatically examines server stress, and mitigates the attack vector if the server is stressed.
- Fully Manualindicates that you configure parameters for DoS vector detection and rate limiting manually. The system mitigates the attack vector based on the threshold values you set.
- Detection Threshold EPSspecifies how many packets per second the system must discover in traffic in order to detect this attack.
- Detection Threshold Percentspecifies the threshold percent the system must discover in traffic in order to detect this attack.
- Mitigation Threshold EPSspecifies the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
- Bad Actor Detectionspecifies that Bad Actor detection is enabled. This appears only for non-error packets and non sweep/flood packets. Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
- Add Source Address to Categoryspecifies that the source IP address be added to the blacklist category assigned to the DoS vector.
- Customize attack types individually, as needed:
- Click the name of the attack type to open the properties screen for it.
- On the attack type properties screen, select theStatefor how to enforce protection for the attack type.
- Mitigateindicates watch, learn, alert, and mitigate protection is used.
- Detect Onlyindicates watch, learn, and alert protection is used.
- Learn Onlyindicates that stats should be collected with no mitigation.
- Disabledindicates that there should be no stat collection and no mitigation.
- Supply values for the properties displayed to configure the protection for the attack type.
- ClickOK.
Refer to the BIG-IP system documentation,BIG-IP Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type. - Save your work.
Edit DoS profiles
You can edit DoS profiles to fine
tune what the system considers to be a DoS attack, and how the system handles a DoS
attack.
- Click.
- In the DoS Profiles screen, click the name of the profile to modify.This locks the profile for editing and opens the properties screen.For details, consult these topics:
- Configure for application security
- Configure for protocol DNS security
- Configure for protocol SIP security
- Configure for network security
- Make edits as needed for your configuration.The system saves edits as you make them.