(BADoS) provides automatic
protection against DDoS attacks by analyzing traffic behavior using machine learning and data
analysis. Working together with other BIG-IP DoS
protections, Behavioral DoS examines traffic flowing between clients and application servers in
data centers, and automatically establishes the baseline traffic/flow profiles for Layer 7 (HTTP)
and Layers 3 and 4.
For example, in the case of a DDoS attack from a botnet, each request may be
completely legal but many requests all at once can slow down or crash the server. Behavioral DoS
can mitigate the attack by slowing down the traffic no more than necessary to keep the server in
Behavioral DoS continuously monitors server health and loading, by means of
a customer feedback loop, to ensure the real-time correlations, and validate server conditions,
attacks, and mitigations. Any subsequent anomalies are put on watch, and the system applies
mitigations (slowdowns or blocks) as needed.
This is how Behavioral DoS works:
Learns typical behavior of
Detects an attack based on
current conditions (server health)
Finds behavior anomaly
(what and who changed to cause congestion?)
Mitigates by slowing down
You enable Behavioral DoS, which requires minimal configuration, in a DoS
profile in the Stress-based detection settings. Because the system is tracking the traffic data,
it adapts to changing conditions so there are no thresholds to specify. You set the level of
mitigation that you want to occur, ranging from no mitigation (learning only) to aggressive
protection (proactive DoS protection). The system can quickly detect Layer 7 DoS attacks,
characterize the offending traffic, and mitigate the attack.
You can use a DoS profile that has Behavioral DoS enabled to protect one or,
at most, two virtual servers.