Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
Preventing Global DoS Sweep and Flood Attacks
Overview: Preventing DoS sweep and flood attacks
A sweep attack is a network scanning technique that sweeps your network by sending packets from a single host to multiple destination. The packet responses are then used to determine responsive hosts. Typical attacks use ICMP to accomplish this.
The sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also configure the sweep vector to automatically blacklist an IP address from which the sweep attack originates.
A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm and prevent legitimate access the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to verify applications and send responses.
The flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.
The BIG-IP system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.
You can configure DoS sweep and flood prevention through DoS Protection >Device Configuration > Network Security.