Manual Chapter :
Detecting and Preventing System DoS and DDoS Attacks
Applies To:
Show Versions
BIG-IP AFM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Detecting and Preventing System DoS and DDoS Attacks
About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks
DoS and DDoS attack detection and prevention is enabled by the BIG-IP® Advanced Firewall Manager™ (AFM™) Device DoS profile. DoS and DDoS detection and prevention serves two functions. DoS detection and prevention features are enabled with an Advanced Firewall Manager license, which also includes DNS protocol detection support.
- To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.
- To determine unusual increases in packets of specific types that are known attack vectors. Possible attack vectors are tracked over the past hour, and current possible attacks are compared to the average of that hour.
You can configure the levels at which a BIG-IP device detects all system-supported DoS attacks.
Detecting and protecting against DoS and DDoS attacks
The BIG-IP® system handles DoS and DDoS attacks with preconfigured
responses. With the DoS Protection Device Configuration, you set detection thresholds and internal
rate limits for a range of DoS and DDoS attack vectors.
Now you have configured the system to provide custom responses to possible DoS and DDoS
attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your
system.
Network DoS Protection attack types
This table lists Network DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.
Attention: All hardware-supported vectors are performed in hardware on vCMP guests, as long
as the vCMP guests have the same software version as the vCMP host.
| Attack | DoS vector name | Description | Classification | Hardware accelerated |
|---|---|---|---|---|
| Bad ICMP frame | bad-icmp-frame | Bad ICMP frame | Err | Yes |
| ICMP Frame Too Large | icmp-frame-too-large | The ICMP frame exceeds the declared IP data length or the maximum datagram length. | Err | Yes |
| Bad IP TTL value | bad-ttl-val | Time-to-live equals zero for IPv4 address | Err | Yes |
| Bad IP version | bad-ver | IPv4 address version in IP header is not 4 | Err | Yes |
| Bad IPv6 hop count | bad-ipv6-hop-cnt | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad | Flood | Yes |
| IPv6 hop count <= 1 | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to 1. | Flood | Yes |
| Bad IPv6 version | bad-ipv6-ver | IPv6 address version in IP header is not 6 | Err | Yes |
| Bad TCP checksum | bad-tcp-chksum | Bad TCP checksum | Err | Yes |
| Bad TCP flags (all cleared and SEQ#=0) | bad-tcp-flags-all-clr | Bad TCP flags (all cleared and SEQ#=0) | Err
Note: BIG-IP system drops packets
|
Yes |
| Bad TCP flags (all flags set) | bad-tcp-flags-all-set | Bad TCP flags (all flags set) | Err | Yes |
| Bad UDP checksum | bad-udp-chksum | Bad UDP checksum | Err | Yes |
| Bad UDP header | bad-udp-hdr | UDP length is greater than IP length or layer 2 length) | Err | Yes |
| Ethernet broadcast packet | ether-brdcst-pkt | Ethernet broadcast packet | Flood | Yes |
| Ethernet multicast packet | ether-multicst-pkt | Ethernet multicast packet | Flood | Yes |
| Ethernet MAC SA = DA | ether-mac-sa-eq-da | Ethernet MAC SA == DA | Err | Yes |
| ICMP flood | icmpv4-flood | Flood with ICMPv4 packets | Flood | Yes |
| ICMPv6 flood | icmpv6-flood | Flood with ICMPv6 packets | Flood | Yes |
| UDP flood | udp-flood | UDP flood attack | Flood | Yes |
| ICMP fragment | icmp-frag | ICMP fragment flood | Flood | Yes |
| ARP Flood | arp-flood | ARP flood | Flood | Yes |
| IP error checksum | ip-err-chksum | IPv4 address header checksum error | Err | Yes |
| IP fragment error | ip-other-frag | IPv4 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets | Sophisticated | No |
| IPv6 fragment error | ipv6-other-frag | IPv6 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets | Sophisticated | No |
| IP fragment overlap | ip-overlap-frag | IPv4 overlapping fragment error | Sophisticated | No |
| IPv6 fragment overlap | ipv6-overlap-frag | IPv6 overlapping fragment error | Sophisticated | No |
| IP Header length too short | hdr-len-too-short | IPv4 header length is less than 20 bytes. | Err | Yes |
| IP Header length > L2 length | hdr-len-gt-l2-len | No room in layer 2 packet for IP header (including options) for IPv4 address | Err | Yes |
| IP length > L2 length | ip-len-gt-l2-len | Total length in IPv4 address header is greater than the layer 3 length in a layer 2 packet | Err | Yes |
| IPv6 length > L2 length | ipv6-len-gt-l2-len | IPv6 address length is greater than the layer 2 length | Err | Yes |
| Payload Length < L2 Length | payload-len-ls-l2-len | Specified IPv6 payload length is less than the L2 packet length | Err | Yes |
| IP option frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. | Flood | Yes |
| Bad IP option | bad-ip-opt | Incorrect IP option. | Err | No |
| IPv6 extended header frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames | Flood | Yes |
| IP fragment flood | ip-frag-flood | IP packet flood. | Flood | Yes |
| IPv6 fragment flood | ipv6-frag-flood | Fragmented packet flood with IPv6. | Flood | Yes |
| IP fragment too small | ip-short-frag | IPv4 short fragment error | Err | Yes |
| IPv6 fragment too small | ipv6-short-frag | IPv6 short fragment error | Err | Yes |
| IPv6 fragment error | ipv6-other-frag | IPv6 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets | Sophisticated | Yes |
| IPv6 duplicate extension headers | dup-ext-hdr | An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. | Err | Yes |
| IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. | Err | Yes |
| IPv6 extended headers wrong order | bad-ext-hdr-order | Extension headers in the IPv6 header are in the wrong order. | Err | Yes |
| L2 length > IP length | l2-len-ggt-ip-len | Layer 2 packet length is greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size. | Flood | No |
| No L4 | no-l4 | No layer 4 payload for IPv4 address | Err | Yes |
| No L4 (extended headers go to or past end of frame) | l4-ext-hdrs-go-end | No layer 4 (extended headers go to or past end of frame) | Err | Yes |
| Option present with illegal length | bad-ip-opt | Option present with illegal length | Detection only | Yes |
| Payload length < L2 length | payload-len-ls-l2-len | Payload length in IPv6 address header is less than the layer 3 length in the layer 2 packet | Err | No |
| Routing header type 0 | routing-header-type-0 | Routing header type zero is present | Flood | Yes |
| SYN & FIN set | syn-and-fin-set | Bad TCP flags (SYN and FIN set) | Err
Note: BIG-IP system drops packets
|
Yes |
| TCP FIN only set | fin-only-set | Bad TCP flags (only FIN is set) | Err | Yes |
| TCP SYN Flood | tcp-syn-flood | TCP SYN packet flood. | Flood | Yes |
| TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK packet flood. | Flood | Yes |
| TCP ACK Flood | tcp-ack-flood | TCP ACK packet flood. | Flood | No |
| TCP RST Flood | tcp-rst-flood | TCP RST packet flood. | Flood | Yes |
| TCP header length too short (length < 5) | tcp-hdr-len-too-short | Off in TCP header is less than 20 bytes | Err | Yes |
| TCP header length > L2 length | tcp-hdr-len-gt-l2-len | No room in packet for TCP header, including options | Err | Yes |
| TCP option overruns TCP header | tcp-opt-overruns-tcp-hdr | TCP option overruns TCP header | Detection only | Yes |
| Too many extended headers | too-many-ext-hdrs | For IPv6 address there are more than four extended headers (This can be set using: db variable dos.maxipv6exthdrs.) | Flood | Yes |
| TTL <= 1 | ttl-leq-one | IP forwarding time-to-live is less than one | Err | Yes |
| Host unreachable | host-unreachable | Host unreachable error | Err | Yes |
| LAND Attack | land-attack | Spoofed TCP SYN packet attack | Flood | Yes |
| Unknown TCP option type | unk-tcp-opt-type | Unknown TCP option type | Detection only | Yes |
| TIDCMP | tidcmp | ICMP source quench attack | Detection only | Yes |
