Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
AFM DoS Protection
Overview: DoS/DDoS Protection
BIG-IP AFM DoS Protection protects your data center from denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks by detecting and mitigating a wide variety of malicious traffic patterns and packet types. These malicious traffic patterns and packets are also referred to as attack vectors or attack signatures. With BIG-IP AFM, you can either manually or automatically configure DoS/DDoS detection and mitigation.
Manual DoS configuration
An effective DoS/DDoS protection solution requires an in-depth traffic analysis to determine the baseline traffic patterns and thresholds, as well as attack patterns and thresholds. Once a traffic analysis is complete, you can determine the appropriate DoS/DDoS attack vectors, and manually configure the detection and mitigation thresholds for each.
Automatic DoS configuration
You can configure BIG-IP AFM to automatically detect and mitigate DoS/DDoS attacks using a wide variety of custom and default attack vectors. You can also enable the BIG-IP AFM Dynamic Signature feature to create and mitigate attacks based on traffic patterns that change over time.
DoS/DDoS attack vector categories
BIG-IP AFM has a large number of attack vectors that fall within three categories. This table lists the categories and a sample of the available DoS vectors from each category.
Network | DNS | SIP |
---|---|---|
|
|
|
Applying AFM DoS/DDoS protection
You can apply DoS/DDoS protection to the entire BIG-IP system or to individual virtual servers, also known as protected objects.
In the following scenario, we enable TCP SYN Flood attack protection at the device level and apply DNS NXDOMAIN Query attack protection to a protected object. We configure each of the DoS protections for automatic detection and mitigation.
Enabling and applying DoS protection involves several tasks.
Task list
- Enable Device Protection.
-
Create a Protection Profile.
-
Apply a Protection Profile.