Manual Chapter : AFM DoS Protection

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

AFM DoS Protection

Overview: DoS/DDoS Protection

BIG-IP AFM DoS Protection protects your data center from denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by detecting and mitigating a wide variety of malicious traffic patterns and packet types. These malicious traffic patterns and packets are also referred to as attack vectors or attack signatures. With BIG-IP AFM, you can either manually or automatically configure DoS/DDoS detection and mitigation.

Important: An effective DoS solution blocks attack traffic while allowing legitimate traffic.

Manual DoS configuration

An effective DoS/DDoS protection solution requires an in-depth traffic analysis to determine the baseline traffic patterns and thresholds, as well as attack patterns and thresholds. Once a traffic analysis is complete, you can determine the appropriate DoS/DDoS attack vectors, and manually configure the detection and mitigation thresholds for each.

Automatic DoS configuration

You can configure BIG-IP AFM to automatically detect and mitigate DoS/DDoS attacks using a wide variety of custom and default attack vectors. You can also enable the BIG-IP AFM Dynamic Signature feature to create and mitigate attacks based on traffic patterns that change over time.

DoS/DDoS attack vector categories

BIG-IP AFM has a large number of attack vectors that fall within three categories. This table lists the categories and a sample of the available DoS vectors from each category.

Network DNS SIP
  • ARP Flood
  • ICMP Flood
  • IP Fragment Flood
  • LAND attack
  • TCP SYN Flood
  • DNS AAAA Query
  • DNS Malformed
  • DNS NXDOMAIN Query
  • NS Oversize
  • DNS Response Flood
  • SIP ACK Method
  • SIP OPTIONS Method
  • SIP Malformed
  • SIP REGISTER Method
  • SIP URI Limit

Applying AFM DoS/DDoS protection

You can apply DoS/DDoS protection to the entire BIG-IP system or to individual virtual servers, also known as protected objects.

In the following scenario, we enable TCP SYN Flood attack protection at the device level and apply DNS NXDOMAIN Query attack protection to a protected object. We configure each of the DoS protections for automatic detection and mitigation.

Enabling and applying DoS protection involves several tasks.

Task list

  1. Enable Device Protection.
  2. Create a Protection Profile.

  3. Apply a Protection Profile.

Enable device level DoS protection

Device protection applies to the entire BIG-IP system. When the system detects an attack, it can apply mitgation to all ingress traffic. In this task, you configure the TCP SYN Flood DoS vector to automatically detect and mitigate TCP SYN Flood attacks, and you enable the Network Dynamic Signature feature.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
  2. For Log Publisher, for this scenario, select local-db-publisher.
    When the system detects an attack, it sends messages to the /var/log/ltm file indicating the begin and end times of each DoS attack.
  3. For the Threshold Sensitivity list, ensure that Medium is selected.
    A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage
  4. Click Network in the middle of the page.
    The area expands to display the attack vectors list.
  5. Under Attack Type , click the TCP SYN Flood link.
    You might find it easier to locate this link if you have the list sorted by name.
  6. In the properties pane to the right, change the State setting to Mitigate.
  7. Click Fully Automatic.
  8. Ensure that Bad Actor Detection is selected to blacklist any IP addresses that are the source of an attack.
  9. In the main screen area, scroll up to the Network Family settings , and click the Configure link.
    The Properties pane on the right changes to show Network Properties.
  10. From the Dynamic Signature Detection list, select Enabled.
    A dynamic DoS attack is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic signature enforcement, such attacks can be detected and mitigated automatically by AFM.
  11. From the Mitigation Sensitivity list, select Medium.
  12. At the upper left of the main screen, click Commit Changes to System.
The BIG-IP system is now configured to automatically detect and protect against TCP SYN Flood attacks, and dynamically create and mitigate attack vectors not in the predefined Network attack vector family.

Create a DoS protection profile

You can apply protection profiles to specific virtual servers, applying the type of DoS vectors and thresholds for that specific application. In this task example, you create a protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
  2. On the far right, click Create
  3. Type a Name for the new protection profile.
    For this example, type nxdomain_ddos.
  4. For the Threshold Sensitivity list, ensure that Medium is selected.
    A lower setting means the threshold algorithm is less sensitive to changes in traffic and CPU usage.
  5. In the Families setting, select DNS.
    The DNS area displays below the Filter Attack Vectors filter.
  6. Click DNS .
  7. In the Vector Name column, click the DNS NXDOMAIN Query link.
    The properties pane opens on the right, showing the DNS NXDOMAIN Query.
  8. From the State list, select Mitigate.
  9. Click Fully Automatic.
  10. Ensure that Bad Actor Detection is selected.
  11. At the upper left of the main screen, click Commit Changes to System.
You have now created a medium threshold protection profile to protect a DNS virtual server from DNS NXDOMAIN Query attacks. DoS protection does not occur until the protection profile is applied to the protected object.
Next, you need to apply the DoS protection profile to protected object.

Apply the DoS protection profile

As the last task in applying the DDoS protection, you apply the new Protection Profile to our DNS virtual server. The Protection Profile will prevent attackers from filling the BIG-IP system cache with bad requests and significantly impacting DNS resolution performance.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. In the Name column, click the name of the virtual server.
    The Properties pane opens at the right of the page
  3. From the Service Profile list, ensure that the virtual server has an associated profile.
  4. Click Protection Settings at the bottom of the pane.
    The Protection Settings options display.
  5. From the Protection Profile list, select the name of the network firewall policy. For this example task, select nxdomain_ddos.
  6. Click Save.
You have now configured the virtual server to automatically detect and protect against DNS NXDOMAIN Query attacks.
You might now want to view DoS attack reports.