Manual Chapter : Preventing Attacks with Eviction Policies and Connection Limits

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

Preventing Attacks with Eviction Policies and Connection Limits

What are eviction policies and connection limits?

An eviction policy provides the system with guidelines for how aggressively it discards flows from the flow table. You can customize the eviction policy to prevent flow table attacks, where a large number of slow flows are used to negatively impact system resources. You can also set how the system responds to such flow problems in an eviction policy, and attach such eviction policies globally, to route domains, and to virtual servers, to protect the system, applications, and network segments with a high level of customization.

A connection limit provides a hard limit to the number of connections allowed on a virtual server or on a route domain. If you set such a limit, all connection attempts that exceed this limit are not allowed.

Task list

Creating an eviction policy

You can create eviction policies to control the granularity and aggressiveness with which the system discards flows.
  1. On the Main tab, click DoS Configuration > Eviction Policy .
  2. Click Create.
    The New Eviction Policy screen opens.
  3. In the Name field, type a name for the eviction policy.
  4. In the Trigger fields, type a high and low water mark for the eviction policy.
    This measure specifies the percentage of the quota, for this context, before flow eviction starts (high water mark) and ends (low water mark).
  5. Enable Slow Flow Monitoring to monitor flows that are considered slow by the system, and specify the slow flow threshold in bytes per second.
    This combination of settings monitors the system for flows that fall below the slow flow threshold for more than 30 seconds.
  6. In the Grace Period field you can set a grace period, in seconds, between the detection of slow flows that meet the threshold requirement, and purging of slow flows according to the Slow Flow Throttling settings.
  7. In the Slow Flow Throttling area, set the slow flow throttling options.
    Option Description
    Disabled Slow flows are monitored, but not removed from the system when the threshold requirement is met for 30 seconds.
    Absolute Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting an absolute limit removes all slow flows beyond the specified absolute number of flows.
    Percent Slow flows are removed from the system when the threshold requirement is met for 30 seconds. Setting a percentage limit removes that percentage of slow flows that exceed the specified monitoring setting, so the default value of 100% removes all slow flows that exceed the slow flow threshold, after the grace period.
  8. For Strategies, configure the strategies that the eviction policy uses to remove flows by moving algorithms from the Available list to the Selected list.
  9. Click Finished.
The eviction policy appears in the Eviction Policy List.
To use an eviction policy, associate it with a protected object or a route domain. You can configure a global eviction policy at System > Configuration > Local Traffic > General .

Eviction policy strategy algorithms

This table lists the BIG-IP eviction policy algorithms and associated configuration information.

In an eviction policy, you specify one or more algorithms, or any combination of algorithms, to determine how traffic flows are dropped when the eviction policy threshold limits are reached. Selected algorithms are processed at the same time as a combined strategy, not in a specific order, so the combination of algorithms determines the final strategy used to remove flows. This strategy biases or weights the final algorithm toward the outcomes you have selected, though these choices are not absolute.

Important: You must specify at least one algorithm to use to determine how traffic is dropped with an eviction policy, otherwise flows are removed at random when the eviction policy threshold is reached.
Algorithm Description
Bias Idle Biases flow removal toward the existing flows that have been idle, with no payload bytes, for the longest.
Bias Oldest Biases flow removal toward the oldest existing flows.
Bias Bytes Biases flow removal toward the flows with the fewest bytes. When this algorithm is selected, add a value to the field Minimum Time Delay in the Strategy Configuration area. This value determines the period of time for which a flow is allowed to exist, at a minimum, before it is subject to removal through the Bias Bytes algorithm.
Bias Fast Biases flow removal toward the fastest existing flows.
Bias Slow Biases flow removal toward the slowest existing flows.
Low Priority Route Domains Biases flow removal toward flows on low priority route domains. When this algorithm is selected, use the Low Priority Route Domains setting in the Strategy Configuration area to move low priority route domains from the Available list to the Selected list.
Low Priority Virtual Servers Biases flow removal toward flows on low priority virtual servers. When this algorithm is selected, use the Low Priority Virtual Servers setting in the Strategy Configuration area to move low priority virtual servers from the Available list to the Selected list.
Low Priority Countries Biases flow removal toward flows from lower priority countries. When this algorithm is selected, in the Low Priority Countries setting in the Strategy Configuration area, select low priority countries from the list and click Add to add them to the low priority list.
Low Priority Ports and Protocols Biases flow removal toward flows on low priority ports and protocols. When this algorithm is selected, use the Low Priority Ports and Protocols setting in the Strategy Configuration area to add ports, protocols, and combinations to the low priority ports and protocols list (you must also specify a name).

Limiting global connections and flows

You must first create an eviction policy before you can assign one globally. The system includes a global eviction policy, by default.
Assign global connection limits and an eviction policy to prevent possible attacks or overflows on system flows.
  1. On the Main tab, click System > Configuration > Local Traffic > General .
    The Local Traffic General settings screen opens.
  2. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  3. Click Update to apply the changes.
    The eviction policy is applied to the context.

Limiting connections and flows on a virtual server

You must first create an eviction policy before you can assign one to a virtual server.
Assign connection limits and an eviction policy to a virtual server to enact granular control over possible attacks or overflows on system flows.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. In the Connection Limit field, type a number that specifies the maximum number of concurrent open connections.
  5. From the Eviction Policy list, select an eviction policy to apply to the virtual server.
  6. Click Update to apply the changes.
    The eviction policy is applied to the context.

Limiting connections and flows on a route domain

Before performing this task, confirm that you have a configured route domain, or use the common route domain 0. You must add VLANs to a route domain for the route domain to effect traffic.
Assign connection limits and an eviction policy to a route domain to enact granular control over possible attacks or overflows on system flows.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. In the Connection Limit field, type the maximum number of concurrent connections allowed for the route domain. Setting this to 0 turns off connection limits. The default is 0.
  4. From the Eviction Policy list, select an eviction policy to apply to this route domain.
  5. Click Update.
    The system displays the list of route domains on the BIG-IP system.
The route domain now applies the connection limit and eviction policy to flows and connections.