Manual Chapter : Detecting and Preventing Network DoS Attacks on a Protected Object

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

Detecting and Preventing Network DoS Attacks on a Protected Object

Overview: Preventing network DoS attacks on a protected object

Network DoS protection is a type of security that collects several DoS checks in a protection profile. Network attack detection and prevention serves several functions:

  • To detect and report on packets based on behavior characteristics of the sender or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can configure the Network DoS protection profile to detect possible attack vectors by packet-per-second or percentage-increase-over-time thresholds, which can indicate that a possible attack is in process. Such attacks can be logged and reported through system logging facilities. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.

You can specify an address list as a whitelist that the DoS checks allow. Whitelisted addresses are passed by the protection profile, without being subject to the checks in the protection profile.

Network DoS protection requires that your protected object includes a protection profile that includes network security.

Task list

Preventing network DoS attacks on protected objects with a protection profile

The BIG-IP system handles network attacks that use malformed packets and malicious attack vectors. Possible malicious packets and attacks are detected by logging when packets exceed a threshold of packets per second, and by detecting the rate increase percentage in packets of a certain type over time. You can configure settings to identify and rate limit possible network attacks with a protection profile. For many vectors, you can also automatically blacklist IP addresses.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click Create.
    The New Protection Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  5. If you have created a whitelist on the system, from the Default Whitelist list, select the list.
    You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.
  6. To configure network security settings, for Families, select Network.
  7. At the bottom of the screen, click Network.
    The screen displays the network attack vectors.
  8. To change the threshold or rate increase for a particular network attack, in the Attack Type column, click the name of the attack.
    The DoS attack Properties pane appears on the right side of the screen.
  9. In the Properties pane, from the State list, choose the appropriate enforcement option.
    • Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  10. To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Note: Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  11. To configure DoS vector thresholds manually, for Threshold Mode, select Fully Manual.
    1. From the Detection Threshold EPS list, select Specify or Infinite.
      Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
      Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
    2. From the Detection Threshold Percent list, select Specify or Infinite.
      Use Specify to set a value (in percentage of traffic) for the attack detection threshold. Use Infinite to set no value for the threshold.
    3. From the Mitigation Threshold EPS list, select Specify or Infinite.
      Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
      Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  12. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  13. From the Detection Threshold % list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  14. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  15. Click Simulate Auto Threshold to log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.
    Note: This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select Fully Automatic for a vector.
  16. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  17. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  18. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  19. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  20. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  21. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  22. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  23. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
You have now configured a DoS protection profile to analyze network packet behavior for DoS attacks, to allow specific configured attacks to be identified in system logs and reports, and to allow rate limiting of such attacks.
Associate the protection profile with a protected object to enable network DoS protection.

DoS profile attack types

You can specify specific threshold, rate increase, rate limit, and other parameters for supported network DoS attack types, to more accurately detect, track, and rate limit attacks.

Attention: All hardware-supported vectors are performed in hardware on vCMP guests, provided that the vCMP guests have the same software version as the vCMP host.
DoS Category Attack Name Dos Vector Name Information Hardware accelerated
+ TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
+ IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options Yes
+ IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
+ IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
+ IPv6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Yes
+ Too Many Extended Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
+ Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length Yes
+ TCP Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious Yes
+ TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header. Yes
+ Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type Yes
+ ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets Yes
+ ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets Yes
+ IP Fragment Flood ip-frag-flood Fragmented packet flood with IPv4 Yes
+ IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6 No
+ TCP RST Flood tcp-rst-flood TCP RST flood Yes
+ TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood Yes
+ TCP SYN Flood tcp-syn-flood TCP SYN flood Yes
+ TCP Window Size tcp-window-size The TCP window size in packets exceeds the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. Yes
+ TCP SYN Oversize tcp-syn-oversize Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value . The default size is 64 and the maximum allowable value is 9216. Yes
+ UDP Flood udp-flood UDP flood attack Yes
+ ICMP Fragment icmp-frag ICMP fragment flood Yes
+ Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. You can also configure automatic blacklisting for IPs that initiate sweep attacks, using the IP intelligence mechanism. No
+ Host Unreachable host-unreachable Host unreachable error Yes
+ TIDCMP tidcmp ICMP source quench attack Yes

Associating a protection profile with a protected object

You must first create a DoS protection profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the protected object requires an HTTP profile (such as the default http).
You add denial-of-service protection to a protected object to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object to which you want to assign a protection profile.
    The Properties pane opens on the right.
  3. In the Protection Settings area, from the Protection Profile list, select the name of the protection profile to assign.
    This associates the protection profile with the protected object.
  4. Click Save.
DoS protection is now enabled, and the DoS protection profile is associated with the protected object.

Allowing addresses to bypass protection profile checks

You can specify whitelisted addresses that the protection profile does not subject to DoS checks. Whitelist entries are specified on a security address list that you can create.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click the name of the protection profile you want to modify.
  3. If you have created a whitelist on the system, from the Default Whitelist list, select the list.
    You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.

Creating a network DoS logging profile

Create a custom logging profile to log messages about network DoS events.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select DoS Protection.
  5. In the Network DoS Protection area, from the Publisher list, select the publisher the system uses to log network DoS events.
  6. Click Create.
Assign this network DoS logging profile to a protected object.

Logging DoS network events on a protected object

Ensure that at least one log publisher exists on the BIG-IP system.
Assign a custom logging profile to a protected object when you want the system to log DoS network events for the traffic the protected object processes.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object for which you want to log DoS events.
    The Properties pane opens on the right.
  3. In the Network & General area, for Logging Profiles, move the logging profile to assign from the Available list into the Selected list.
    This assigns the logging profile to the protected object.
  4. Click Save.
The system logs DoS network events for the protected object.
You can review DoS network event logs at Security > Event Logs > DoS > Network . You can also view network auto thresholds and dynamic signatures (if enabled).