Manual Chapter :
Behavioral and stress-based detection settings
Applies To:
Show Versions
BIG-IQ Centralized Management
- 7.1.0
Behavioral and stress-based detection settings
Evaluating the outcome of your Behavioral DoS (BaDoS) protection to your
virtual server, or application, varies depending on the following DoS Behavioral and
Stress-based settings. These settings apply thresholds that evaluate server stress, which
then allow the system to identify behavioral signatures that characterize the attack. To
edit your profile's settings, go to your DoS protected objects list, and select the DDoS
profile link (. From the DoS profile, expand
Application Security
and
select Behavioral & Stress-based Detection
. For more information
about DoS profile configuration, see Create DoS Profiles
.Stress-Based Detection
Stress-based detection determines an ongoing DoS attack. This method combines
monitoring of general traffic over time, in addition to specific detection measures
that indicated a DoS attack. Using specific threshold indicators, such as repeated
source IPs or URL requests, the system can identify when an attack is ongoing. Web
Application Security settings trigger an attack if any (or all) options in your
stress-based settings are configured in your DoS profile.
Site
Wide
detection is applied when traffic to the entire web site
has exceeded the thresholds defined in the detection thresholds, and an attack
has not been detected using any of the other detection criteria. Behavioral Detection
Behavior detection settings identifies attacks and the attack's characteristics. This
detection method provides signatures of an attack that can be added to your attack
signature list, when reoccurring. The following behaviors are used to trigger an
attack:
- Bad Actor Detection
- Tracks and attempts to identify the bad actors contributing to a given set of malicious traffic. This method identifies a set of malicious traffic contributing to the server stress, and attempts to identify what source IP addresses are generating the malicious traffic, and what percentage of malicious traffic a given bad actor is contributing. Bad actors, are mitigated at transport layer via slowdown mitigation techniques, and the rate at which they are mitigated is directly related to their percentage of contribution to the malicious traffic set, and the mitigation selected.
- Signature Detection
- When enabled, traffic characteristics are used to identify the cause of the server stress. If there are deviating characteristics, the system dynamically generates a signature based to block traffic anomalies.
- WhenAccelerated signaturesis enabled, the system detects signatures before connection establishment. This automatically enables the syn-cookie mechanism during the attack.
- WhenUse approved signatures onlyis enabled, the system administrator must manually review and approve detected signatures to enable mitigation action. To view these signatures go to .
Mitigation
- No Mitigation
- Monitors traffic, generates signatures, and identifies bad actors, but does not perform any mitigation.
- Standard Protection
- IfBad Actors Behavior Detectionis enabled, slows down identified bad actors.
- IfRequest Signatures Detectionis enabled, blocks requests that match attack signatures.
- Rate limits all requests based on server health
- Limits the number of concurrent connections from bad actor IP addresses.
- Limits the number of all concurrent connections based on server health
- Aggressive Protection
- IfBad Actors Behavior Detectionis enabled, slows down identified bad actors.
- IfRequest Signatures Detectionis enabled, blocks requests that match attack signatures.
- Rate limits all requests based on server health
- Limits the number of concurrent connections from bad actor IP addresses.
- Limits the number of all concurrent connections based on server health
- Proactively performs all protection actions, even before attack detection, increasing impact of protection techniques.
