Manual Chapter :
Managing DoS Profiles
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Managing DoS Profiles
Using DoS profiles to improve application security
A denial of service attack (DoS attack) makes a resource unavailable to its intended users, or obstructs the communication media between the intended users and the site. A DoS profile allows you to define, monitor, and mitigate traffic patterns that threaten application security.
First, you create a new DoS profile that defines general properties of DoS protection.
Once the profile is created, you can configure your profile to detect DoS attacks specific to application security. Application security can define DoS attacks based on either:
- A high volume of incoming traffic (usingTPS-based Detectionsettings)
- Server stress (withBehavioral and Stress-based Detectionsettings)
Create a DoS profile with application security
Before you can create a DoS profile, your virtual server must include an HTTP profile to use the application security feature.
You create a new DoS profile for your objects if you have not yet configured DoS protection, or if the current DoS profiles in the system do not meet the needs of your application or stand-alone virtual server.
- Go toThe screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
- ClickCreateand selectDoS Profile.
- In the New DoS Profile screen, add and set the properties as appropriate.
- Specify a uniqueNamefor the DoS profile.
- To add a template that automatically populates the required fields for specific protection aspects of the DoS profile, select and option fromCreate from template.Certain template options have a minimum required BIG-IP device version. Ensure that you are creating a DoS profile for a device that meets these requirements.
- Specify an optionalDescriptionfor the DoS profile.
- Specify thePartitionto which the DoS profile belongs.You can replace the defaultCommonpartition when creating DoS profiles by typing a unique name for a new partition.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- If you want to make this policy available to application templates, forApplication Templatesselect theMake available in Application Templatescheck box.
- Specify theThreshold Sensitivityfor the DoS profile.Thresholds for detecting attacks are higher when sensitivity isLow, and lower when sensitivity isHigh.This property is not used with the Application Security protection type.
- In theSource IP Address Allowlistsetting, specify the configuration of the Source IP address allow list.This property is not used with the Application Security protection type.
- In theHTTP Allowlistsetting, specify the HTTP allowlist to use.This setting is applied only to BIG-IP devices version 13.0, or later.
- At the left, click, then select theApplication SecurityEnabledcheck box,When enabled, this protects your web application against DoS attacks. Supply or modify any necessary values in the Properties settings. For information on the configuration process, refer to theConfigure for application securitytopic inF5 BIG-IQ Centralized Management: Securityonsupport.f5.com.
- To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, clickTPS-based Detection.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects an attack, and can beOff,Transparent, orBlocking. If set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - To configure settings for the detection of DoS attacks based on server stress, clickBehavioral and Stress-based Detection.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects a stress-based attack, and can beOff,TransparentorBlocking. If set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Behavioral Detection and MitigationSpecifies the mitigation behavior, and when enabled, the selected level of mitigation to use.- For theBad actors behavior detectionsetting, selectEnabledto perform traffic behavior, server capacity learning, and anomaly detection.
- For theRequest signatures detectionsetting, selectEnabledto perform signature detection.
- For signature detection before establishing a connection, selectAccelerated signatures.
- For system admin mitigation approval of detected signaturesUse approved signatures only. This is an extra step that allows the administrator to manually approve detect signatures.
- For theMitigationsetting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - When you are finished, save your work.
The new DoS profile is added to the list of profiles. At this point, you can add it to any object that requires a DoS profile.
Edit DoS profile for application security
Your virtual server must include an HTTP analytics profile before you can use the DoS profile Application Security feature.
You can configure the conditions under which the system determines that your application is under a DoS attack, and how the system reacts to a suspected attack.
- Go toThe screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
- Click the DoS Profile column header to sort objects by DoS profile.
- Click the name of the DoS profile you want to edit.The DoS Profile Properties screen opens.
- On the left, clickApplication Securityto expand the list.
- ClickPropertiesto display the General Settings screen and configure the application security general settings.
- In theApplication Securitysetting, selectEnabledto use application security protection and display additional properties.
- In theIP Address Allowlistsetting, specify the IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
- To add an IP address to the allowlist, type it in the upper field, and clickAdd. The IP address is added to the allowlist in the lower field.
- To delete an IP address from the allowlist, select the IP address from the allowlist in the lower field, and clickRemove.
- In theGeolocationssetting, specify that you want to override the DoS profile's geolocation detection criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
- To allow traffic from a country, select the country and move it to theGeolocation Allowlist.
- To block traffic from a country, select the country and move it to theGeolocation Denylist.
- Enable theTrigger iRulesetting if you have an iRule that manages DoS events in a customized manner.
- Enable theSingle Page Applicationsetting if your website is a single page application.
- Configure theURL Patternsto use. Each URL pattern defines a set of URLs which are logically the same URL with the varying part of the pattern acting as a parameter, such as/product/*php.
- To add the URL pattern to the list, type the URL pattern and clickAdd.
- To remove the URL pattern from the list, select the pattern from theURL Patternslist, and clickRemove.
- Enable theTraffic Scrubbingsetting if you want traffic scrubbing enabled during attacks by advertising BGP routes. This feature requires configuration of a scrubber profile. Change theAdvertisement Durationvalue if needed.
- Enable theRTBHsetting if you want to have remotely triggered black hole (RTBH) filtering of attacking BGP IP addresses by advertising the BGP routes. This feature requires configuration of the denylist publisher. Change theAdvertisement Durationvalue if needed.
- Configure whetherPerformance Accelerationshould be used.
- To forgo performance acceleration, selectNone.
- To use performance acceleration, select the TCP fastL4 profile to use as the fast-path for acceleration.
- To configure the Proactive Bot Defense settings, clickProactive Bot Defense.PropertyDescriptionOperation ModeSpecifies the conditions under which the system detects and blocks bots. SelectOff,During Attacks, orAlways. IfOffis selected, no other settings are shown on this tab.Block requests from suspicious browsersStrengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
- Select theBlock Suspicious Browserscheck box to enable or disable blocking of suspicious browsers.
- Select theCAPTCHA Challengecheck box to enable or disable issuing a challenge. ClickCAPTCHA Response Settingsto select the responses to use.
Grace PeriodSpecifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or clickReset to Defaultto reset the value.Cross-Domain RequestsYou can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of theCross-Domain Requestsoptions.Related Site DomainsSpecifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clickingAdd. Remove a domain by selecting it and clickingRemove.Related External DomainsSpecifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clickingAdd. Remove a domain by selecting it in the text box and clickingRemove.URL AllowlistSpecifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the allowlist by typing a URL in the text box and clickingAdd. Remove a URL by selecting it and clickingRemove. - To configure the Bot Signatures settings, clickBot Signatures.PropertyDescriptionBot Signature CheckSelectEnabledto display settings. You cannot disable theBot Signature Checkproperty whileProactive Bot Detection,TPS-based DetectionwithBy Device IDselected, orStress-based DetectionwithBy Device IDselected, is enabled. To disable theBot Signature Checkproperty, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disablingBot Signature Check, you can disable categories of bot signatures individually.Malicious CategoriesandBenign CategoriesThese two category lists are handled similarly.For either category, selectNone,Report, orBlock. That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for theMalicious CategoriesorBenign Categorieschanges toCustom Configuration. A user cannot set all categories toNoneand keepProactive Bot Defenseenabled.Disabled Bot SignaturesSpecifies bot signatures that are available and disabled. To specify, move the bot signatures between theAvailable Signatureslist and theDisabled Signatureslist.
- To configure how mobile applications built with the Anti-Bot Mobile SDK are detected, and to define how requests from mobile application clients are handled, clickMobile Applications.PropertyDescriptionMobile App ProtectionSpecify whether to use mobile application DoS protection.
- SelectEnabledto use configuration of mobile application DoS protection. When this is enabled, requests from mobile applications built with the Anti-Bot Mobile SDK are detected and handled according to the settings.
- Clear theEnabledcheck box to have mobile application requests handled without DoS protection.
iOSSpecify the settings for iOS mobile applications.- To allow traffic on any iOS package, selectAllow Any Package Name. Apackage nameis the unique identifier of the mobile application, such ascom.f5.app1.
- To allow traffic from jailbroken iOS devices, selectAllow Jailbroken Devices.
- To allow traffic on specified packages, type the iOS package names to allow, and clickAdd. To remove a package from the list, select the package and clickRemove. This option is not available if you have chosenAllow Any Package Name. When this is set, all other packages are blocked with the mobile application response page text.
AndroidSpecify the settings for Android mobile applications.- To allow any application publisher, selectAllow Any Publisher. A publisher is identified by the certificate used to sign the application.
- To allow traffic from rooted Android devices, selectAllow Rooted Devices.
- To allow traffic on specified packages, select publisher certificates from theAvailable publisher certificatelist, and move them to theAssigned publisher certificateslist. All other certificates are blocked with the mobile application response page text. This option is not available if you have chosenAllow Any Publisher.
AdvancedSpecify advanced handling of requests from mobile applications.- When a CAPTCHA or client side integrity challenge needs to be presented, select the action to take.
- To have the traffic passed without incident, selectAlways passed.
- To have the traffic challenged for human behavior, selectChallenged for human behavior. When this is selected, the SDK checks for human interactions with the screen in the last few seconds. If none are detected, the traffic is blocked.
- To allow traffic from applications that are run on emulators, selectAllow Emulators.
- To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, clickTPS-based Detection.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects an attack, and can beOff,Transparent, orBlocking. If it is set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - To configure settings for the detection of DoS attacks based on server stress, clickBehavioral and Stress-based Detection.PropertyDescriptionOperation ModeSpecifies how the system reacts when it detects a stress-based attack, and can beOff,Transparent, orBlocking. If it is set toOff, no other properties are shown.Thresholds ModeSpecifies how thresholds are configured.
- To configure each mitigation behavior threshold manually, selectManual.
- To use the system default mitigation threshold settings, selectAutomatic.
Thresholds Modeselection affects which threshold options are available in the other sections on this screen.By Source IPSpecifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.By Device IDSpecifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.By GeolocationSpecifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.By URLSpecifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click theClick to configurelink next to the option to do so.Site WideSpecifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.Behavioral Detection and MitigationSpecifies the mitigation behavior, and when enabled, the selected level of mitigation to use.- For theBad Actor Detectionsetting, selectEnabledto perform traffic behavior, server capacity learning, and anomaly detection.
- For theSignature Detectionsetting, selectEnabledto perform signature detection. SelectUse approved signatures onlyto use only approved signatures.
- ForMitigation, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
Prevention DurationSpecifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. - To configure settings for protecting heavy URLs during DoS attacks, clickHeavy URL Protection.Heavy URLs are those that have the potential to cause stress on the server, even with a low TPS count.PropertyDescriptionAutomatic DetectionSelectEnabledto automatically detect heavy URLs of the application, in addition to the URLs entered manually.Heavy URLsYou can configure a list of heavy URLs to protect, in addition to the automatically detected ones. Type a URL in the top field, and clickAdd. Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and clickRemoveIgnored URLsYou can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and clickAdd. To remove a URL from the list, select the URL from the text box, and clickRemoveLatency ThresholdIfAutomatic Detectionis enabled, set theLatency Thresholdsetting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is1000milliseconds. ClickReset to Defaultto reset the value to 1000.
- To define the responses to use when issuing a challenge, clickCAPTCHA Response Settings.The exact format of a response body differs, depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
- For theFirst Response Type, selectDefaultto use the default response, or selectCustomto create your own first response body by entering it into theFirst Response Bodyarea.Here is an example first response body:This question is for testing whether you are a human visitor and to prevent automated spam submission. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
- For theFailure Response Type, selectDefaultto use the default response, or selectCustomto create your own failure response body by entering it into theFailure Response Bodyarea.Here is an example failure response body:You have entered an invalid answer for the question. Please, try again. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
- ClickRecord Trafficto configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have apcapextension and are located in this path on the BIG-IP device:/shared/dosl7/tcpdumps.PropertyDescriptionRecord Traffic During AttacksControls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. SelectEnabledto specify that the system record traffic when a DoS attack is underway, and display settings.Maximum TCP Dump DurationSpecifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.Maximum TCP Dump SizeSpecifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.TCP Dump RepetitionSpecifies whether the system performs one dump, or multiple dumps, for each DoS attack.
- Save your work.
The settings are incorporated into the DoS profile.
Next, you can view the attack details for an ongoing DDoS attack to monitor the impact of your edited DoS Profile.