Manual Chapter : Preventing Global DoS Sweep and Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

Preventing Global DoS Sweep and Flood Attacks

Overview: Preventing DoS sweep and flood attacks

A sweep attack is a network scanning technique that sweeps your network by sending packets from a single host to multiple destination. The packet responses are then used to determine responsive hosts. Typical attacks use ICMP to accomplish this.

The sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also configure the sweep vector to automatically blacklist an IP address from which the sweep attack originates.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm and prevent legitimate access the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to verify applications and send responses.

The flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.

The BIG-IP system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

You can configure DoS sweep and flood prevention through DoS Protection >Device Configuration > Network Security.

Detecting and protecting against single endpoint DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose Network.
    The screen displays the network attack vectors.
  3. Click Single Endpoint Flood.
    The Single Endpoint Flood Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and move them to the Selected list.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps and logging to better track threats to your system.

Detecting and protecting against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP addresses that you detect perpetrating such attacks.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose Network.
    The screen displays the network attack vectors.
  3. Click Single Endpoint Sweep.
    The Single Endpoint Sweep Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  8. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  9. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  10. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  12. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and move them to the Selected list.
Now you have configured the system to provide protection against DoS sweep attacks, to allow such attacks to be identified in system logs and reports, and to automatically add such attackers to a blacklist of your choice.
Configure SNMP traps and logging to better track threats to your system.

Detecting and protecting against UDP flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for UDP flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, choose Network.
    The screen displays the network attack vectors.
  3. Click UDP Flood.
    The UDP Flood Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. For Threshold Mode, select Fully Manual.
  6. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the Detection Threshold % list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold of 1-hour average, an attack is logged and reported. The system continues to check every second and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  8. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  9. Click Simulate Auto Threshold to log a simulated attacked event that the system identifies as a DoS attack according to the automatic thresholds, though enforcing manual thresholds.
    Note: This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select Fully Automatic for a vector.
  10. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  11. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  14. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  15. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  16. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  18. For automatic blacklisting, click Attacked Destination Detection, and configure the additional settings as for Bad Actor Detection.
  19. From the Port List Type list, select Include All Ports or Exclude All Ports.
    An Include list checks all the ports you specify in the Port List, using the specified threshold criteria, and ignores all others.
    An Exclude list excludes all the ports you specify in the Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  20. In the UDP Port List area, type a port number to add to an exclude or include UDP port list.
  21. In the UDP Port List area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None does not include or exclude the port.
    • Source only includes or excludes the source port.
    • Destination only includes or excludes the destination port.
    • Both Source and Destination includes or excludes both the source and destination ports.
You have now configured the system to provide customized protection against UDP flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps and logging to better track threats to your system.