Manual Chapter : Managing DoS Profiles

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Managing DoS Profiles

Using DoS profiles to improve application security

A denial of service attack (DoS attack) makes a resource unavailable to its intended users, or obstructs the communication media between the intended users and the site. A DoS profile allows you to define, monitor, and mitigate traffic patterns that threaten application security.
First, you create a new DoS profile that defines general properties of DoS protection. Once the profile is created, you can configure your profile to detect DoS attacks specific to application security. Application security can define DoS attacks based on either:
  • A high volume of incoming traffic (using
    TPS-based Detection
    settings)
  • Server stress (with
    Behavioral and Stress-based Detection
    settings)
You can assign your new DoS profile to one, or several applications and virtual servers that require DoS attack protection.

Create a DoS profile with application security

Before you can create a DoS profile, your virtual server must include an HTTP profile to use the application security feature.
You create a new DoS profile for your objects if you have not yet configured DoS protection, or if the current DoS profiles in the system do not meet the needs of your application or stand-alone virtual server.
  1. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  2. Click
    Create
    and select
    DoS Profile
    .
  3. In the New DoS Profile screen, add and set the properties as appropriate.
  4. Specify a unique
    Name
    for the DoS profile.
  5. To add a template that automatically populates the required fields for specific protection aspects of the DoS profile, select and option from
    Create from template
    .
    Certain template options have a minimum required BIG-IP device version. Ensure that you are creating a DoS profile for a device that meets these requirements.
  6. Specify an optional
    Description
    for the DoS profile.
  7. Specify the
    Partition
    to which the DoS profile belongs.
    You can replace the default
    Common
    partition when creating DoS profiles by typing a unique name for a new partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  8. If you want to make this policy available to application templates, for
    Application Templates
    select the
    Make available in Application Templates
    check box.
  9. Specify the
    Threshold Sensitivity
    for the DoS profile.
    Thresholds for detecting attacks are higher when sensitivity is
    Low
    , and lower when sensitivity is
    High
    .
    This property is not used with the Application Security protection type.
  10. In the
    Source IP Address Allowlist
    setting, specify the configuration of the Source IP address allow list.
    This property is not used with the Application Security protection type.
  11. In the
    HTTP Allowlist
    setting, specify the HTTP allowlist to use.
    This setting is applied only to BIG-IP devices version 13.0, or later.
  12. At the left, click
    Application Security
    Properties
    , then select the
    Application Security
    Enabled
    check box,
    When enabled, this protects your web application against DoS attacks. Supply or modify any necessary values in the Properties settings. For information on the configuration process, refer to the
    Configure for application security
    topic in
    F5 BIG-IQ Centralized Management: Security
    on
    support.f5.com
    .
  13. To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, click
    TPS-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects an attack, and can be
    Off
    ,
    Transparent
    , or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  14. To configure settings for the detection of DoS attacks based on server stress, click
    Behavioral and Stress-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects a stress-based attack, and can be
    Off
    ,
    Transparent
    or
    Blocking
    . If set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Detection and Mitigation
    Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use.
    • For the
      Bad actors behavior detection
      setting, select
      Enabled
      to perform traffic behavior, server capacity learning, and anomaly detection.
    • For the
      Request signatures detection
      setting, select
      Enabled
      to perform signature detection.
    • For signature detection before establishing a connection, select
      Accelerated signatures
      .
    • For system admin mitigation approval of detected signatures
      Use approved signatures only
      . This is an extra step that allows the administrator to manually approve detect signatures.
    • For the
      Mitigation
      setting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  15. When you are finished, save your work.
The new DoS profile is added to the list of profiles. At this point, you can add it to any object that requires a DoS profile.

Edit DoS profile for application security

Your virtual server must include an HTTP analytics profile before you can use the DoS profile Application Security feature.
You can configure the conditions under which the system determines that your application is under a DoS attack, and how the system reacts to a suspected attack.
  1. Go to
    Monitoring
    DASHBOARDS
    L7 Dashboard
    The screen displays your protected objects, and provides summary data, based on the selected time settings. To change the scope of the time settings, use the control to the top left of the screen.
  2. Click the DoS Profile column header to sort objects by DoS profile.
  3. Click the name of the DoS profile you want to edit.
    The DoS Profile Properties screen opens.
  4. On the left, click
    Application Security
    to expand the list.
  5. Click
    Properties
    to display the General Settings screen and configure the application security general settings.
    1. In the
      Application Security
      setting, select
      Enabled
      to use application security protection and display additional properties.
    2. In the
      IP Address Allowlist
      setting, specify the IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
      • To add an IP address to the allowlist, type it in the upper field, and click
        Add
        . The IP address is added to the allowlist in the lower field.
      • To delete an IP address from the allowlist, select the IP address from the allowlist in the lower field, and click
        Remove
        .
      Apply this setting only to BIG-IP devices earlier than version 13.0.
    3. In the
      Geolocations
      setting, specify that you want to override the DoS profile's geolocation detection criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
      • To allow traffic from a country, select the country and move it to the
        Geolocation Allowlist
        .
      • To block traffic from a country, select the country and move it to the
        Geolocation Denylist
        .
    4. Enable the
      Trigger iRule
      setting if you have an iRule that manages DoS events in a customized manner.
    5. Enable the
      Single Page Application
      setting if your website is a single page application.
    6. Configure the
      URL Patterns
      to use. Each URL pattern defines a set of URLs which are logically the same URL with the varying part of the pattern acting as a parameter, such as
      /product/*php
      .
      • To add the URL pattern to the list, type the URL pattern and click
        Add
        .
      • To remove the URL pattern from the list, select the pattern from the
        URL Patterns
        list, and click
        Remove
        .
    7. Enable the
      Traffic Scrubbing
      setting if you want traffic scrubbing enabled during attacks by advertising BGP routes. This feature requires configuration of a scrubber profile. Change the
      Advertisement Duration
      value if needed.
    8. Enable the
      RTBH
      setting if you want to have remotely triggered black hole (RTBH) filtering of attacking BGP IP addresses by advertising the BGP routes. This feature requires configuration of the denylist publisher. Change the
      Advertisement Duration
      value if needed.
    9. Configure whether
      Performance Acceleration
      should be used.
      • To forgo performance acceleration, select
        None
        .
      • To use performance acceleration, select the TCP fastL4 profile to use as the fast-path for acceleration.
  6. To configure the Proactive Bot Defense settings, click
    Proactive Bot Defense
    .
    Property
    Description
    Operation Mode
    Specifies the conditions under which the system detects and blocks bots. Select
    Off
    ,
    During Attacks
    , or
    Always
    . If
    Off
    is selected, no other settings are shown on this tab.
    Block requests from suspicious browsers
    Strengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
    • Select the
      Block Suspicious Browsers
      check box to enable or disable blocking of suspicious browsers.
    • Select the
      CAPTCHA Challenge
      check box to enable or disable issuing a challenge. Click
      CAPTCHA Response Settings
      to select the responses to use.
    Grace Period
    Specifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or click
    Reset to Default
    to reset the value.
    Cross-Domain Requests
    You can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of the
    Cross-Domain Requests
    options.
    Related Site Domains
    Specifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clicking
    Add
    . Remove a domain by selecting it and clicking
    Remove
    .
    Related External Domains
    Specifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clicking
    Add
    . Remove a domain by selecting it in the text box and clicking
    Remove
    .
    URL Allowlist
    Specifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the allowlist by typing a URL in the text box and clicking
    Add
    . Remove a URL by selecting it and clicking
    Remove
    .
  7. To configure the Bot Signatures settings, click
    Bot Signatures
    .
    Property
    Description
    Bot Signature Check
    Select
    Enabled
    to display settings. You cannot disable the
    Bot Signature Check
    property while
    Proactive Bot Detection
    ,
    TPS-based Detection
    with
    By Device ID
    selected, or
    Stress-based Detection
    with
    By Device ID
    selected, is enabled. To disable the
    Bot Signature Check
    property, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disabling
    Bot Signature Check
    , you can disable categories of bot signatures individually.
    Malicious Categories
    and
    Benign Categories
    These two category lists are handled similarly.
    For either category, select
    None
    ,
    Report
    , or
    Block
    . That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for the
    Malicious Categories
    or
    Benign Categories
    changes to
    Custom Configuration
    . A user cannot set all categories to
    None
    and keep
    Proactive Bot Defense
    enabled.
    Disabled Bot Signatures
    Specifies bot signatures that are available and disabled. To specify, move the bot signatures between the
    Available Signatures
    list and the
    Disabled Signatures
    list.
  8. To configure how mobile applications built with the Anti-Bot Mobile SDK are detected, and to define how requests from mobile application clients are handled, click
    Mobile Applications
    .
    Property
    Description
    Mobile App Protection
    Specify whether to use mobile application DoS protection.
    • Select
      Enabled
      to use configuration of mobile application DoS protection. When this is enabled, requests from mobile applications built with the Anti-Bot Mobile SDK are detected and handled according to the settings.
    • Clear the
      Enabled
      check box to have mobile application requests handled without DoS protection.
    iOS
    Specify the settings for iOS mobile applications.
    • To allow traffic on any iOS package, select
      Allow Any Package Name
      . A
      package name
      is the unique identifier of the mobile application, such as
      com.f5.app1
      .
    • To allow traffic from jailbroken iOS devices, select
      Allow Jailbroken Devices
      .
    • To allow traffic on specified packages, type the iOS package names to allow, and click
      Add
      . To remove a package from the list, select the package and click
      Remove
      . This option is not available if you have chosen
      Allow Any Package Name
      . When this is set, all other packages are blocked with the mobile application response page text.
    Android
    Specify the settings for Android mobile applications.
    • To allow any application publisher, select
      Allow Any Publisher
      . A publisher is identified by the certificate used to sign the application.
    • To allow traffic from rooted Android devices, select
      Allow Rooted Devices
      .
    • To allow traffic on specified packages, select publisher certificates from the
      Available publisher certificate
      list, and move them to the
      Assigned publisher certificates
      list. All other certificates are blocked with the mobile application response page text. This option is not available if you have chosen
      Allow Any Publisher
      .
    Advanced
    Specify advanced handling of requests from mobile applications.
    • When a CAPTCHA or client side integrity challenge needs to be presented, select the action to take.
      • To have the traffic passed without incident, select
        Always passed
        .
      • To have the traffic challenged for human behavior, select
        Challenged for human behavior
        . When this is selected, the SDK checks for human interactions with the screen in the last few seconds. If none are detected, the traffic is blocked.
    • To allow traffic from applications that are run on emulators, select
      Allow Emulators
      .
  9. To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, click
    TPS-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects an attack, and can be
    Off
    ,
    Transparent
    , or
    Blocking
    . If it is set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  10. To configure settings for the detection of DoS attacks based on server stress, click
    Behavioral and Stress-based Detection
    .
    Property
    Description
    Operation Mode
    Specifies how the system reacts when it detects a stress-based attack, and can be
    Off
    ,
    Transparent
    , or
    Blocking
    . If it is set to
    Off
    , no other properties are shown.
    Thresholds Mode
    Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select
      Manual
      .
    • To use the system default mitigation threshold settings, select
      Automatic
      .
    Your
    Thresholds Mode
    selection affects which threshold options are available in the other sections on this screen.
    By Source IP
    Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID
    Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation
    Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude denylisted and allowlisted geolocations.
    By URL
    Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the
    Click to configure
    link next to the option to do so.
    Site Wide
    Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Detection and Mitigation
    Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use.
    • For the
      Bad Actor Detection
      setting, select
      Enabled
      to perform traffic behavior, server capacity learning, and anomaly detection.
    • For the
      Signature Detection
      setting, select
      Enabled
      to perform signature detection. Select
      Use approved signatures only
      to use only approved signatures.
    • For
      Mitigation
      , select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
    Prevention Duration
    Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  11. To configure settings for protecting heavy URLs during DoS attacks, click
    Heavy URL Protection
    .
    Heavy URLs are those that have the potential to cause stress on the server, even with a low TPS count.
    Property
    Description
    Automatic Detection
    Select
    Enabled
    to automatically detect heavy URLs of the application, in addition to the URLs entered manually.
    Heavy URLs
    You can configure a list of heavy URLs to protect, in addition to the automatically detected ones. Type a URL in the top field, and click
    Add
    . Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and click
    Remove
    Ignored URLs
    You can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and click
    Add
    . To remove a URL from the list, select the URL from the text box, and click
    Remove
    Latency Threshold
    If
    Automatic Detection
    is enabled, set the
    Latency Threshold
    setting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is
    1000
    milliseconds. Click
    Reset to Default
    to reset the value to 1000.
  12. To define the responses to use when issuing a challenge, click
    CAPTCHA Response Settings
    .
    The exact format of a response body differs, depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
    1. For the
      First Response Type
      , select
      Default
      to use the default response, or select
      Custom
      to create your own first response body by entering it into the
      First Response Body
      area.
      Here is an example first response body:
      This question is for testing whether you are a human visitor and to prevent automated spam submission. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
    2. For the
      Failure Response Type
      , select
      Default
      to use the default response, or select
      Custom
      to create your own failure response body by entering it into the
      Failure Response Body
      area.
      Here is an example failure response body:
      You have entered an invalid answer for the question. Please, try again. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
  13. Click
    Record Traffic
    to configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have a
    pcap
    extension and are located in this path on the BIG-IP device:
    /shared/dosl7/tcpdumps
    .
    Property
    Description
    Record Traffic During Attacks
    Controls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. Select
    Enabled
    to specify that the system record traffic when a DoS attack is underway, and display settings.
    Maximum TCP Dump Duration
    Specifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.
    Maximum TCP Dump Size
    Specifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.
    TCP Dump Repetition
    Specifies whether the system performs one dump, or multiple dumps, for each DoS attack.
  14. Save your work.
The settings are incorporated into the DoS profile.
Next, you can view the attack details for an ongoing DDoS attack to monitor the impact of your edited DoS Profile.