Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
Preventing Attacks with Eviction Policies and Connection Limits
What are eviction policies and connection limits?
An eviction policy provides the system with guidelines for how aggressively it discards flows from the flow table. You can customize the eviction policy to prevent flow table attacks, where a large number of slow flows are used to negatively impact system resources. You can also set how the system responds to such flow problems in an eviction policy, and attach such eviction policies globally, to route domains, and to virtual servers, to protect the system, applications, and network segments with a high level of customization.
A connection limit provides a hard limit to the number of connections allowed on a virtual server or on a route domain. If you set such a limit, all connection attempts that exceed this limit are not allowed.
Task list
Creating an eviction policy
Eviction policy strategy algorithms
This table lists the BIG-IP eviction policy algorithms and associated configuration information.
In an eviction policy, you specify one or more algorithms, or any combination of algorithms, to determine how traffic flows are dropped when the eviction policy threshold limits are reached. Selected algorithms are processed at the same time as a combined strategy, not in a specific order, so the combination of algorithms determines the final strategy used to remove flows. This strategy biases or weights the final algorithm toward the outcomes you have selected, though these choices are not absolute.
Algorithm | Description |
---|---|
Bias Idle | Biases flow removal toward the existing flows that have been idle, with no payload bytes, for the longest. |
Bias Oldest | Biases flow removal toward the oldest existing flows. |
Bias Bytes | Biases flow removal toward the flows with the fewest bytes. When this algorithm is selected, add a value to the field Minimum Time Delay in the Strategy Configuration area. This value determines the period of time for which a flow is allowed to exist, at a minimum, before it is subject to removal through the Bias Bytes algorithm. |
Bias Fast | Biases flow removal toward the fastest existing flows. |
Bias Slow | Biases flow removal toward the slowest existing flows. |
Low Priority Route Domains | Biases flow removal toward flows on low priority route domains. When this algorithm is selected, use the Low Priority Route Domains setting in the Strategy Configuration area to move low priority route domains from the Available list to the Selected list. |
Low Priority Virtual Servers | Biases flow removal toward flows on low priority virtual servers. When this algorithm is selected, use the Low Priority Virtual Servers setting in the Strategy Configuration area to move low priority virtual servers from the Available list to the Selected list. |
Low Priority Countries | Biases flow removal toward flows from lower priority countries. When this algorithm is selected, in the Low Priority Countries setting in the Strategy Configuration area, select low priority countries from the list and click Add to add them to the low priority list. |
Low Priority Ports and Protocols | Biases flow removal toward flows on low priority ports and protocols. When this algorithm is selected, use the Low Priority Ports and Protocols setting in the Strategy Configuration area to add ports, protocols, and combinations to the low priority ports and protocols list (you must also specify a name). |