Manual Chapter : Detecting and Preventing System DoS and DDoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Detecting and Preventing System DoS and DDoS Attacks

Overview: Configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

BIG-IP Advanced Firewall Manager (AFM) applies DoS and DDoS attack protection at two levels: Device Protection and Protection Profiles. Device Protection protects the entire BIG-IP system, while Protection Profiles protect virtual servers (also known as Protected Objects). Having these two levels of protection allows detection and mitigation to be configured according to each device or application's unique attach type and threshold.

AFM also enables further attack mitigation, including automatic identification and blacklisting of attacking IP addresses, and automatic configuration of DoS attack vector thresholds based on system analysis of Network, DNS and SIP traffic.

Detecting and protecting against system-wide DoS and DDoS attacks

Device Protection is used to protect the entire BIG-IP system. DoS detection and mitigation can be either automatically or manually configured for a wide range of DoS and DDoS attack vectors.
Note: Not all settings apply to all DoS vectors. For example, some vectors cannot use automatic thresholds, and some vectors cannot be automatically blacklisted.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. From the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in System > Logs > Configuration > Log Publishers .
  3. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  4. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  5. Optionally, set up appropriate whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing Source IP addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the Whitelist Address List field (see Creating a whitelist address list for details). The system must be at compatibility level 1 or 2.
      Note: Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
    2. For Rich Whitelists (all compatibility levels), click the Add Whitelist button, type the name, source VLAN, source or destination address, port, and protocol, then click Done Editing.
      You can create up to eight rich whitelists, which allow further delineation of the whitelist.
    3. If the system is compatibility level 2, for Extended Whitelists, click the Add Whitelist button, type the name, source VLAN, source address, destination address, port, and protocol, then click Done Editing.
      You can create 256 source and destination whitelist addresses by default and can extend to 1024 by using Extended Whitelists.
  6. At the bottom of the screen, choose Network, DNS, or SIP to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
  7. To enable (or disable) auto thresholds for one or more attack types, select the check box next to the attack names, and from the Set Threshold button at the bottom of the screen, select Fully-automatic, Manual Detection / Auto Mitigation or Manual.
    Note: To work accurately, automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
    Tip: You can select all vectors by clicking the check box at the top of the list. However, some vectors do not support automatic thresholds. Deselect these vectors before you select Fully-automatic to avoid an error.
  8. Similarly, to set the state for one or more attack types, select the check box next to the vector name or names, and from the Set State list at the bottom of the screen, select Mitigate, Detect Only, Learn Only, or Disable.
    The state you click is set for all selected vectors.
  9. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  10. To enforce the DoS vector, make sure the State is set to Mitigate (watch, learn, alert, and mitigate).
    Other options allow you to Detect Only (collect stats, watch, learn, alert, and no mitigation) or Learn Only (collect stats, watch, learn, and no mitigation).
    CAUTION:
    For most DoS vectors, you want to enforce the vector, which is the default setting. Set a vector to Disabled (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  11. Set the Threshold Mode for the vector.
    • If the attack allows automatic threshold configuration, you can select Fully Automatic or Manual Detection/Auto Mitigation to configure automatic or partially automatic thresholds.
    • To configure thresholds manually, click Fully Manual.
  12. Adjust the other settings for the DoS vector for fully automatic, partially manual, or fully manual threshold configuration.
  13. To log traffic that the system identifies as a DoS attack according to the automatic thresholds, enable Simulate Auto Threshold.
    Note: This setting applies only to vectors that can be configured for automatic thresholds. It allows you to see the results of automatic thresholds on the selected DoS vector without actually affecting traffic. When you enable this setting, the current system-computed thresholds for automatic thresholds are displayed for this vector. Automatic thresholds are not applied to packets unless the Threshold Mode is changed for the vector.
  14. If the vector includes other settings, such as Bad Actor Detection and Attacked Destination Detection, configure them as needed. If using automatic blacklisting with Bad Actor Detection, be sure to assign a global IP intelligence policy to the device ( Security > Network Firewall > IP Intelligence > Policies ).
  15. Click Commit Changes to System to save the changes.
    The configuration is updated, and the Device Protection screen opens again.
  16. Repeat the previous steps for any other attack types for which you want to change the configuration.
You have now configured the system to provide custom responses to DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps and high-speed remote logging to better track threats to your system.

Adjusting the device compatibility level

You can adjust the compatibility level of the system to enable different levels of DoS protection and whitelists depending on the hardware platform of your system.
Note: If using DDoS Hybrid Defender, adjusting the compatibility level must be done from the Advanced Menu.
  1. On the Main tab, click System > Configuration > Device .
  2. From the Compatibility Level list, select the appropriate compatibility level for your hardware.
    Option Description
    LEVEL 0 Specifies a system with basic hardware DoS capabilities (provides device protection and Rich Whitelist). Valid for all systems, and is the default value.
    LEVEL 1 Specifies either a VE system with no hardware offload or a system with hardware DoS and sPVA capabilities (in addition to LEVEL 0 features provides hardware DoS protection per protected object, Whitelist Address List, IP intelligence, and bad actor/attacked destination discovery).
    LEVEL 2 Specifies a system with hardware DoS, sPVA, and Neuron capabilities (in addition to LEVEL 1 features provides extended whitelist).
    You will receive a message if you select a level that is not applicable to your hardware.
  3. Click Update.

Automatically detecting and protecting against system-wide DoS and DDoS attacks

The BIG-IP system handles DoS and DDoS attacks with preconfigured responses. With the DoS Device Protection, you can automatically or manually set detection and mitigation thresholds for a range of DoS and DDoS attack vectors. Use this task to configure automatic thresholds for the system, and for adjusting individual DoS vectors.
Note: Not all settings apply to all DoS vectors. For example, some vectors do not support automatic thresholds, and some vectors do not include bad actor detection or automatic blacklisting.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. From the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in System > Logs > Configuration > Log Publishers .
  3. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  4. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  5. Optionally, set up appropriate whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing source IP addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the Whitelist Address List field (see Creating a whitelist address list for details). The system must be at compatibility level 1 or 2.
      Note: Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
    2. For Rich Whitelists (all compatibility levels), click the Add Whitelist button, type the name, source VLAN with VLAN mask, source or destination address (with prefix), port, and protocol, then click Done Editing.
      You can define up to eight rich whitelists.
    3. If the system is compatibility level 2, for Extended Whitelists, click the Add Whitelist button, type the name, source VLAN with VLAN mask, source address (with prefix), destination address (with prefix), port, and protocol, then click Done Editing.
      Extended whitelists can include both the source and destination addresses, and you can create 256 of them, by default. (The maximum number can be extended to 1024, if needed.)
  6. At the bottom of the screen, choose Network, DNS, or SIP to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
  7. To enable auto thresholds for one or more attack types, select the check box next to the vector name or names, and from the Set Threshold button at the bottom of the screen, select Fully-automatic.
    Note: To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
    Tip: You can select all vectors by clicking the check box at the top of the list. However, some vectors do not support automatic thresholds. Deselect these vectors before you select Fully-automatic to avoid an error.
  8. Similarly, to set the state for several attack types, select the check box next to the vector names, and from the Set State list at the bottom of the screen, select Mitigate, Detect Only, Learn Only, or Disable.
    The state you click is set for all selected vectors.
  9. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  10. To enforce the DoS vector, make sure the State is set to Mitigate (watch, learn, alert, and mitigate).
    Other options allow you to Detect Only (collect stats, watch, learn, alert, and no mitigation) or Learn Only (collect stats, watch, learn, and no mitigation).
    CAUTION:
    For most DoS vectors, you want to enforce the vector, which is the default setting. Set a vector to Disabled (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  11. For Threshold Mode, select Fully Automatic.
    Note: You cannot configure automatic thresholds for every DoS vector. In particular, for error packets you can manually specify only Detection Threshold EPS, Detection Threshold Percent, and the Mitigation Threshold EPS.
    Note: If automatic thresholds are available, you can configure automatic thresholds, partially manual, or manual thresholds for that DoS vector. When you select one configuration setting, the options for the other setting no longer appear.
  12. In the Attack Floor EPS field, optionally specify the minimum number of events per second of the vector type, below which you don't think an attack should be detected.
  13. In the Attack Ceiling EPS field, optionally specify the absolute maximum allowable for events per second of this type, above which the system should mitigate the attack.
    This setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
  14. If the vector includes other settings, such as Bad Actor Detection and Attacked Destination Detection, configure them as needed. If using automatic blacklisting with Bad Actor Detection, be sure to assign a global IP intelligence policy to the device ( Security > Network Firewall > IP Intelligence > Policies ).
  15. Click the Commit Changes to System button at the top of the page.
    The selected vector is updated, and the DoS Protection Device Configuration screen refreshes.
  16. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to automatically detect and respond to possible DoS and DDoS attacks, and to identify such attacks in system logs and reports.
Configure SNMP traps and remote high-speed logging to better track threats to your system.

Configuring manual thresholds for DoS and DDoS vectors

You manually configure thresholds for a DoS vector when you want to configure specific settings, or when the vector does not allow automatic threshold configuration.
Note: Not all settings apply to all DoS vectors. For example, some vectors cannot be automatically blacklisted.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. From the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
    You can review, create, and update log publishers in System > Logs > Configuration > Log Publishers .
  3. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  4. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  5. Optionally, set up appropriate whitelists for addresses that can bypass DDoS checks.
    1. To specify a system-wide DoS address list containing source IP addresses that do not need to be checked for DoS attacks, type the name of a previously configured list in the Whitelist Address List field (see Creating a whitelist address list for details). The system must be at compatibility level 1 or 2.
      Note: Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
    2. For Rich Whitelists (all compatibility levels), click the Add Whitelist button, type the name, source VLAN with VLAN mask, source or destination address (with prefix), port, and protocol, then click Done Editing.
      You can define up to eight rich whitelists.
    3. If the system is compatibility level 2, for Extended Whitelists, click the Add Whitelist button, type the name, source VLAN with VLAN mask, source address (with prefix), destination address (with prefix), port, and protocol, then click Done Editing.
      Extended whitelists can include both the source and destination addresses, and you can create 256 of them, by default. (The maximum number can be extended to 1024, if needed.)
  6. At the bottom of the screen, choose Network, DNS, or SIP to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
  7. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  8. For Threshold Mode, select Fully Manual.
  9. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  10. From the Detection Threshold % list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  11. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  12. To log traffic that the system identifies as a DoS attack according to the automatic thresholds, enable Simulate Auto Threshold.
    Note: This setting applies only to vectors that can be configured for automatic thresholds. It allows you to see the results of automatic thresholds on the selected DoS vector without actually affecting traffic. When you enable this setting, the current system-computed thresholds for automatic thresholds are displayed for this vector. Automatic thresholds are not applied to packets unless the Threshold Mode is changed for the vector.
  13. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  14. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  15. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  16. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  17. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  18. Specify the Sustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
  19. To change the duration for which the address is blacklisted, specify the duration in seconds in the Category Duration Time field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  20. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  21. To set thresholds for attacked destinations, select Attacked Destination Detection.
    1. In the Per Destination IP Detection Threshold EPS field, specify the number of events per second from one IP address that identifies the IP destination as an Attacked destination, for purposes of attack detection and logging.
    2. In the Per Destination IP Mitigation Threshold EPS field, specify the number of events per second headed to one IP address, above which rate limiting occurs.
    3. To automatically blacklist bad actor IP addresses, select Add Destination Address to Category.
      For DoS protection, the blacklist category is set to denial_of_service automatically.
    4. Specify the Sustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
    5. To set the duration the destination address remains blacklisted, specify the Category Duration Time in seconds. The default is 900 seconds.
    6. To allow destination IP blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
  22. Click the Commit Changes to System button at the top of the page.
    The configuration is updated, and the Device Protection screen opens again.
  23. Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports, rate-limited, and blacklisted when specified.
Configure SNMP traps and remote high-speed logging to better track threats to your system.

Default DoS attack signatures

The following tables, organized by DoS category, list AFM default device DoS attacks, and provide a short description and relevant information. You can adjust the thresholds in device protection by clicking the attack types and adjusting the properties.

Network attack types

Vector Information Hardware accelerated
ARP Flood ARP packet flood Yes
Bad ICMP Checksum An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet. Yes
Bad ICMP Frame The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types. Yes
Bad IGMP Frame IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. Yes
Bad IP TTL Value Time-to-live equals zero for an IPv4 address. Yes
Bad IP Version The IPv4 address version in the IP header is not 4. Yes
Bad IPv6 Addr IPv6 source IP = 0xff00:: Yes
Bad IPV6 Hop Count Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad. Yes
Bad IPV6 Version The IPv6 address version in the IP header is not 6. Yes
Bad SCTP Checksum Bad SCTP packet checksum. No
Bad Source The IPv4 source IP = 255.255.255.255 or 0xe0000000U. Yes
Bad TCP Checksum The TCP checksum does not match. Yes
Bad TCP Flags (All Cleared) Bad TCP flags (all cleared and SEQ#=0). Yes
Bad TCP Flags (All Flags Set) Bad TCP flags (all flags set). Yes
Bad UDP Checksum The UDP checksum is not correct. Yes
Bad UDP Header (UDP Length > IP Length or L2 Length) UDP length is greater than IP length or Layer 2 length. Yes
Ethernet Broadcast Packet Ethernet broadcast packet flood Yes
Ethernet MAC Source Address == Destination Address Ethernet MAC source address equals the destination address. Yes
Ethernet Multicast Packet Ethernet multicast packet flood Yes
FIN Only Set Bad TCP flags (only FIN is set). Yes
Header Length > L2 Length No room in Layer 2 packet for IP header (including options) for IPv4 address Yes
Header Length Too Short IPv4 header length is less than 20 bytes. Yes
Host Unreachable Host unreachable error Yes
ICMP Fragment ICMP fragment flood Yes
ICMP Frame Too Large The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. Yes
ICMPv4 Flood Flood with ICMPv4 packets Yes
ICMPv6 Flood Flood with ICMPv6 packets Yes
IGMP Flood Flood with IGMP packets (IPv4 packets with IP protocol number 2) Yes
IGMP Fragment Flood Fragmented packet flood with IGMP protocol Yes
IP Error Checksum The header checksum is not correct. Yes
IP Fragment Error Other IPv4 fragment error Yes
IP Fragment Flood Fragmented packet flood with IPv4 Yes
IP Fragment Overlap IPv4 overlapping fragment error No
IP Fragment Too Small IPv4 short fragment error Yes
IP Length > L2 Length The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet. Yes
IP Option Frames IPv4 address packets that are part of an IP option frame flood. On the command line, option.db variable tm.acceptipsourceroute must be enabled to receive IP options. Yes
IP Option Illegal Length Option present with illegal length. No
IP uncommon proto Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. Yes
IP Unknown protocol Unknown IP protocol No
IPv4 mapped IPv6 The IPv6 stack is receiving IPv4 address packets. Yes
IPV6 Atomic Fragment IPv6 Frag header present with M=0 and FragOffset =0. Yes
IPv6 duplicate extension headers An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. Yes
IPv6 Extended Header Frames IPv6 address contains extended header frames. Yes
IPv6 extended headers wrong order Extension headers in the IPv6 header are in the wrong order. Yes
IPv6 extension header too large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
IPv6 Fragment Error Other IPv6 fragment error Yes
IPv6 Fragment Flood Fragmented packet flood with IPv6 Yes
IPv6 Fragment Overlap IPv6 overlapping fragment error No
IPv6 Fragment Too Small IPv6 short fragment error Yes
IPv6 hop count <= <tunable> The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
IPv6 Length > L2 Length IPv6 address length is greater than the Layer 2 length. Yes
L2 Length >> IP Length Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size. Yes
LAND Attack Source IP equals destination IP address Yes
No L4 No Layer 4 payload for IPv4 address. Yes
No L4 (Extended Headers Go To Or Past End of Frame) Extended headers go to the end or past the end of the L4 frame. Yes
No Listener Match This can occur if the listener is down as it attempts to make a connection, or if it was not started or was configured improperly. It may also be caused by a network connectivity problem.  
Non TCP Connection Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.  
Option Present With Illegal Length Packets contain an option with an illegal length. Yes
Payload Length < L2 Length Specified IPv6 payload length is less than the L2 packet length. Yes
Routing Header Type 0 Identifies flood packets containing type 0 routing headers, which can be used to amplify traffic to initiate a DoS attack. Yes
Single Endpoint Flood Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting. No
Single Endpoint Sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. No
SYN && FIN Set Bad TCP flags (SYN and FIN set). Yes
TCP BADACK Flood TCP ACK packet flood No
TCP Flags - Bad URG Packet contains a bad URG flag; this is likely malicious. Yes
TCP Half Open TCP connection whose state is out of synchronization between the two communicating hosts Yes
TCP Header Length > L2 Length The TCP header length exceeds the Layer 2 length. Yes
TCP Header Length Too Short (Length < 5) The Data Offset value in the TCP header is less than five 32-bit words. Yes
TCP Option Overruns TCP Header The TCP option bits overrun the TCP header. Yes
TCP PUSH Flood TCP PUSH flood Yes
TCP RST Flood TCP RST flood Yes
TCP SYN ACK Flood TCP SYN/ACK flood Yes
TCP SYN Flood TCP SYN flood Yes
TCP SYN Oversize Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value in tmsh: modify sys db dos.maxsynsize value. The default size in bytes is 64 and the maximum allowable value is 9216. Yes
TCP Window Size The TCP window size in packets is above the maximum size. To tune this value in tmsh: modify sys db dos.tcplowwindowsize value where value is <= 128. Yes
TIDCMP ICMP source quench attack Yes
Too Many Extension Headers For an IPv6 address, there are too many extended headers (the default is 4). To tune this value in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
TTL <= <tunable> An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
UDP Flood UDP flood attack Yes
Unknown Option Type Unknown IP option type. No
Unknown TCP Option Type Unknown TCP option type. Yes

DNS attack vectors

Vector Information Hardware accelerated
DNS A Query UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS AAAA Query UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS AXFR Query UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS Any Query UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS CNAME Query UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS IXFR Query UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS MX Query UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS Malformed Malformed DNS packet Yes
DNS NS Query UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS NXDOMAIN Query DNS query. Queried domain name does not exist. Yes
DNS OTHER Query UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS Oversize Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192. Yes
DNS PTR Query UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS Question Items != 1 DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question. Yes
DNS Response Flood UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS SOA Query UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS SRV Query UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
DNS TXT Query UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes

SIP attack vectors

Vector Information Hardware accelerated
SIP ACK Method SIP ACK packets Yes
SIP BYE Method SIP BYE packets Yes
SIP CANCEL Method SIP CANCEL packets Yes
SIP INVITE Method SIP INVITE packets Yes
SIP Malformed Malformed SIP packets Yes
SIP MESSAGE Method SIP MESSAGE packets Yes
SIP NOTIFY Method SIP NOTIFY packets Yes
SIP OPTIONS Method SIP NOTIFY packets Yes
SIP OTHER Method Other SIP method packets Yes
SIP PRACK Method SIP PRACK packets Yes
SIP PUBLISH Method SIP PUBLISH packets Yes
SIP REGISTER Method SIP REGISTER packets Yes
SIP SUBSCRIBE Method SIP SUBSCRIBE packets Yes
SIP URI Limit The SIP URI exceeds the limit. Yes

Custom DoS attack signatures

BIG-IP AFM allows you to create custom Network and DNS type DoS attack signatures when the default attack signatures do not match a new or unique type of DoS traffic. Familiarize yourself with the following options prior to creating a new DoS signature.
Note: The HTTP and TLS attack signatures are available for use when the Application Security Manager (ASM) module is provisioned.
Signature option Description
Name A unique name identifying the signature object.
Tags Tags are used to classify signatures. You can use tags to filter signature lists. For example, use a tag like Flood to group all flood attack signatures.
Description Describe the purpose of the signature.
Alias A alternate name for the signature.
Approved Select the check box to indicate that the signature has been reviewed and approved.
Shareable Indicates that the signature can be used by other protected objects (virtual servers) and protection profiles. All shareable signatures are accepted on any profile for which signatures are enabled.
Predicates List One or more match expressions, joined by logical operators, which the system uses to match traffic that is causing a DoS attack. You can edit the predicates (and all properties) of persistent signatures, and view the predicates of dynamic signatures. To add predicates when creating a persistent signature, click Add, select a predicate, specify the match expression, and the value.

Creating a custom DoS attack signature

You can create custom Network or DNS DoS attack types for traffic patterns not matching one of the default attack signatures.
  1. On the Main tab, click Security > DoS Protection > Signatures .
  2. Click Add Signature within the Persistent area.
    The Properties pane opens on the right.
  3. Select either Network or DNS from the family list.
  4. Enter a unique Signature Name for the attack signature.
  5. Click the Tags icon to define one or more optional search tags.
    Important: Be sure to press Enter after each tag and click Done to associate all of the tags with the signature.
  6. Enter an optional Description and Alias.
  7. Click Add in the Predicates List area.
  8. Scroll through the Predicates List and select a predicate.
  9. Select the predicate match expression and value.
  10. Repeat steps 7 through 9 to add additional predicates.
  11. Click Create.
The new attack signature can now be viewed and modified when you click the Persistent area.
Use the new attack signature when creating or modifying a new protection profile or when enabling device protection.