Manual Chapter : Detecting DoS Attacks Dynamically

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

Detecting DoS Attacks Dynamically

Overview: Detecting DoS attacks dynamically

A dynamic DoS attack is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic signature enforcement, such attacks can be detected and mitigated automatically by AFM. Dynamic signature enforcement creates signatures for attacks based on changing traffic patterns over time. When an attack is detected, a signature is created and added to a list of dynamic signatures. All packets are then checked against the dynamic signature, and mitigated according to internal logic, and settings you can specify. When packet processing on the system falls back to normal levels, the signature no longer appears as an attack, and is removed from the dynamic signature list.

Enforcement modes

The following modes are available for dynamic signature enforcement.
Disabled
In this mode, no dynamic signature enforcement occurs.
Learn-Only
In this mode, the system establishes a baseline for packet processing on AFM. Learn-Only mode detects traffic patterns, establishes a baseline, and detects anomalies, but does not generate logs or dynamic signatures. Attacks are not mitigated in Learn-Only mode.
Enabled
In this mode, the system monitors traffic, compares traffic changes over time, and detects anomalies. Attacks are logged, dynamic signatures are generated, packets are compared to the dynamic signature, and attacks are mitigated. When an attack ceases, the dynamic signature is removed from the list.

Mitigation Sensitivity

Mitigation sensitivity establishes how aggressively the system mitigates dynamic DoS attacks. You can set this to None, Low, Medium, or High. By default, mitigation sensitivity is set to None. Low sensitivity is the least aggressive, at the risk of allowing more attack packets through. High drops packets more aggressively, even when attack confidence is lower.

Redirection/Scrubbing

You can configure redirection and scrubbing to handle mitigation of dynamic DoS signatures with an IP Intelligence category. The following parameters can be configured for redirection and scrubbing.

Scrubbing Category
You can select an IP Intelligence category for IP addresses blocked by dynamic DoS signatures. By default, the IP intelligence category for scrubbed IP addresses is attacked_ips.
Scrubbing Advertisement Time
This is the duration for which a mitigated IP is advertised to the IP Intelligence mechanism for scrubbing. The default is 300 seconds.

Start Relearning

The Start Relearning option clears historical data, thresholds and signatures for the dynamic DoS detection system. The Dynamic DoS signature baseline is re-established. Relearning occurs for a period of 20 minutes. You can relearn dynamic signatures at the device level or at the protected object level (on the virtual server Security tab).

Detecting global dynamic DoS attacks

You can enable dynamic signatures at the system level to dynamically detect and mitigate DoS attacks. Dynamic signatures can apply to Network or DNS device protection.
  1. On the Main tab, click Security > DoS Protection > Device Protection .
    The DoS Device Protection screen opens.
  2. At the bottom of the screen, select the Edit icon (pencil) on the right side of the Network or DNS areas.
    The Network or DNS properties pane opens on the right.
  3. In the Properties pane, for Dynamic Signature Enforcement, from the list, select Enabled.
    Note: At first, you may want to select Learn Only to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select Enabled.
  4. From the Mitigation Sensitivity list, select the sensitivity level for dropping packets.
    • Select None to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from Low to High. A setting of Low is least aggressive, but will also trigger fewer false positives. A setting of High is most aggressive, and the system may drop more false positive packets.
  5. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the Redirection/Scrubbing list, select Enabled.
  6. If using Redirection/Scrubbing to redirect traffic identified by dynamic signatures, from the Scrubbing Category list, select the IP Intelligence category to assign to the scrubbed packets.
  7. In the Scrubbing Advertisement Time field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  8. Click Commit Changes to System to save the changes.
    The configuration is updated, and the Device Protection screen opens again.
You have enabled dynamic signatures at the system level. The system monitors traffic, detects anomalies, and generates dynamic signatures are generated, packets are compared to the dynamic signature, and attacks are mitigated. When an attack ceases, the dynamic signature is removed from the list.

Detecting dynamic DoS network attacks with a protection profile

You enable dynamic DoS signatures on a protection profile to detect dynamic DoS attacks at a more granular level than the system level. In this case, the protected objects associated with the protection profile use dynamic signature enforcement. Dynamic signatures can apply to Network or DNS device protection.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click the name of an existing protection profile (or create a new one).
    The Protection Profile Properties screen for that profile opens.
  3. At the bottom of the screen, select the Edit icon (pencil) on the right side of the Network or DNS areas.
    The Network or DNS properties pane opens on the right.
  4. In the Properties pane, for Dynamic Signature Enforcement, from the list, select Enabled.
    Note: At first, you may want to select Learn Only to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select Enabled.
  5. From the Mitigation Sensitivity list, select the sensitivity level for dropping packets.
    • Select None to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from Low to High. A setting of Low is least aggressive, but will also trigger fewer false positives. A setting of High is most aggressive, and the system may drop more false positive packets.
  6. For Network vectors only: To have dynamic signatures handled by an IP Intelligence category, from the Redirection/Scrubbing list, select Enabled.
  7. In the Scrubbing Advertisement Time field, specify the amount of time during which an IP address remains in the blacklist category (default is 300 seconds).
  8. Click Commit Changes to System to save the changes.
    The Protection Profile is updated.
You have configured the protection profile to detect dynamic DoS vectors and mitigate such attacks.
Next, you associate the protection profile with one or more protected objects to enable dynamic signature enforcement on those protected objects.

Associating a protection profile with a protected object

You must add the DoS protection profile to the protected object to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object (virtual server) to which you want to assign a protection profile.
    The Properties pane opens on the right.
  3. In the Protection Settings area, from the Protection Profile list, select the name of the protection profile to assign.
    Note: Ensure a Service Profile is selected to enable the protected object to process application traffic.
  4. Click Save.
The DoS protection profile is associated with the protected object and DoS protection is now enabled.

Viewing and persisting dynamic signatures

The BIG-IP AFM system must have completed the traffic learning period, two hours by default, and detected one or more traffic pattern anomalies in order to create a dynamic signature.
Dynamic signatures can not be modified and do not remain in the configuration by default. You can view dynamic signature details and if the signature is considered useful, you can make it permanent., or persistent in the configuration. Persistent signatures can be also be modified.
  1. On the Main tab, click Security > DoS Protection > Signatures .
  2. Click Dynamic to expand the list of Dynamic Signatures
  3. Review the relevant signature statistics such as Creation Info and Threshold EPS.
  4. Click the name of the signature to view the signature Predicate List.
  5. To make the dynamic signature a permanent or a Persistent signature, check the box next to the signature and click Make Persistent.
  6. To modify the signature, click Persistent.
  7. Click the name of the signature.
  8. The Properties page will appear to the right, allowing you to modify the signature.