Manual Chapter : Detecting and Preventing System DoS and DDoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Detecting and Preventing System DoS and DDoS Attacks

About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

DoS and DDoS attack detection and prevention is enabled by the BIG-IP® Advanced Firewall Manager™ (AFM™) Device DoS profile. DoS and DDoS detection and prevention serves two functions. DoS detection and prevention features are enabled with an Advanced Firewall Manager license, which also includes DNS protocol detection support.

  • To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.
  • To determine unusual increases in packets of specific types that are known attack vectors. Possible attack vectors are tracked over the past hour, and current possible attacks are compared to the average of that hour.

You can configure the levels at which a BIG-IP device detects all system-supported DoS attacks.

Detecting and protecting against DoS and DDoS attacks

The BIG-IP® system handles DoS and DDoS attacks with preconfigured responses. With the DoS Protection Device Configuration, you set detection thresholds and internal rate limits for a range of DoS and DDoS attack vectors.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. If you are using remote logging, from the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
  3. In the Category column, expand a category to view and edit the attack types for that category.
  4. In the Attack Type column, click the name of any attack type to edit the settings.
    The configuration page for the particular attack appears.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value, in packets per second, for the attack detection threshold. If packets of this type cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  6. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set the percentage increase value, that specifies an attack is occurring. The system compares the current rate to an average rate from the last hour. For example, if the average rate for the last hour is 1000 packets per second, and you set the percentage increase threshold to 100, an attack is detected at 100 percent above the average, or 2000 packets per second. When the threshold is passed, an attack is logged and reported.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  7. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value, in packets per second, which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
    Important: If a packet is determined to be an error packet, that packet is dropped, regardless of these settings.
  8. Click the Update button.
    The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  9. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Network DoS Protection attack types

This table lists Network DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.

Attention: All hardware-supported vectors are performed in hardware on vCMP guests, as long as the vCMP guests have the same software version as the vCMP host.
Attack DoS vector name Description Classification Hardware accelerated
Bad ICMP frame bad-icmp-frame Bad ICMP frame Err Yes
ICMP Frame Too Large icmp-frame-too-large The ICMP frame exceeds the declared IP data length or the maximum datagram length. Err Yes
Bad IP TTL value bad-ttl-val Time-to-live equals zero for IPv4 address Err Yes
Bad IP version bad-ver IPv4 address version in IP header is not 4 Err Yes
Bad IPv6 hop count bad-ipv6-hop-cnt Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad Flood Yes
IPv6 hop count <= 1 hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to 1. Flood Yes
Bad IPv6 version bad-ipv6-ver IPv6 address version in IP header is not 6 Err Yes
Bad TCP checksum bad-tcp-chksum Bad TCP checksum Err Yes
Bad TCP flags (all cleared and SEQ#=0) bad-tcp-flags-all-clr Bad TCP flags (all cleared and SEQ#=0) Err
Note: BIG-IP system drops packets
Yes
Bad TCP flags (all flags set) bad-tcp-flags-all-set Bad TCP flags (all flags set) Err Yes
Bad UDP checksum bad-udp-chksum Bad UDP checksum Err Yes
Bad UDP header bad-udp-hdr UDP length is greater than IP length or layer 2 length) Err Yes
Ethernet broadcast packet ether-brdcst-pkt Ethernet broadcast packet Flood Yes
Ethernet multicast packet ether-multicst-pkt Ethernet multicast packet Flood Yes
Ethernet MAC SA = DA ether-mac-sa-eq-da Ethernet MAC SA == DA Err Yes
ICMP flood icmpv4-flood Flood with ICMPv4 packets Flood Yes
ICMPv6 flood icmpv6-flood Flood with ICMPv6 packets Flood Yes
UDP flood udp-flood UDP flood attack Flood Yes
ICMP fragment icmp-frag ICMP fragment flood Flood Yes
ARP Flood arp-flood ARP flood Flood Yes
IP error checksum ip-err-chksum IPv4 address header checksum error Err Yes
IP fragment error ip-other-frag IPv4 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets Sophisticated No
IPv6 fragment error ipv6-other-frag IPv6 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets Sophisticated No
IP fragment overlap ip-overlap-frag IPv4 overlapping fragment error Sophisticated No
IPv6 fragment overlap ipv6-overlap-frag IPv6 overlapping fragment error Sophisticated No
IP Header length too short hdr-len-too-short IPv4 header length is less than 20 bytes. Err Yes
IP Header length > L2 length hdr-len-gt-l2-len No room in layer 2 packet for IP header (including options) for IPv4 address Err Yes
IP length > L2 length ip-len-gt-l2-len Total length in IPv4 address header is greater than the layer 3 length in a layer 2 packet Err Yes
IPv6 length > L2 length ipv6-len-gt-l2-len IPv6 address length is greater than the layer 2 length Err Yes
Payload Length < L2 Length payload-len-ls-l2-len Specified IPv6 payload length is less than the L2 packet length Err Yes
IP option frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. Flood Yes
Bad IP option bad-ip-opt Incorrect IP option. Err No
IPv6 extended header frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Flood Yes
IP fragment flood ip-frag-flood IP packet flood. Flood Yes
IPv6 fragment flood ipv6-frag-flood Fragmented packet flood with IPv6. Flood Yes
IP fragment too small ip-short-frag IPv4 short fragment error Err Yes
IPv6 fragment too small ipv6-short-frag IPv6 short fragment error Err Yes
IPv6 fragment error ipv6-other-frag IPv6 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets Sophisticated Yes
IPv6 duplicate extension headers dup-ext-hdr An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. Err Yes
IPv6 extension header too large ext-hdr-too-large An extension header is too large. Err Yes
IPv6 extended headers wrong order bad-ext-hdr-order Extension headers in the IPv6 header are in the wrong order. Err Yes
L2 length > IP length l2-len-ggt-ip-len Layer 2 packet length is greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size. Flood No
No L4 no-l4 No layer 4 payload for IPv4 address Err Yes
No L4 (extended headers go to or past end of frame) l4-ext-hdrs-go-end No layer 4 (extended headers go to or past end of frame) Err Yes
Option present with illegal length bad-ip-opt Option present with illegal length Detection only Yes
Payload length < L2 length payload-len-ls-l2-len Payload length in IPv6 address header is less than the layer 3 length in the layer 2 packet Err No
Routing header type 0 routing-header-type-0 Routing header type zero is present Flood Yes
SYN & FIN set syn-and-fin-set Bad TCP flags (SYN and FIN set) Err
Note: BIG-IP system drops packets
Yes
TCP FIN only set fin-only-set Bad TCP flags (only FIN is set) Err Yes
TCP SYN Flood tcp-syn-flood TCP SYN packet flood. Flood Yes
TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK packet flood. Flood Yes
TCP ACK Flood tcp-ack-flood TCP ACK packet flood. Flood No
TCP RST Flood tcp-rst-flood TCP RST packet flood. Flood Yes
TCP header length too short (length < 5) tcp-hdr-len-too-short Off in TCP header is less than 20 bytes Err Yes
TCP header length > L2 length tcp-hdr-len-gt-l2-len No room in packet for TCP header, including options Err Yes
TCP option overruns TCP header tcp-opt-overruns-tcp-hdr TCP option overruns TCP header Detection only Yes
Too many extended headers too-many-ext-hdrs For IPv6 address there are more than four extended headers (This can be set using: db variable dos.maxipv6exthdrs.) Flood Yes
TTL <= 1 ttl-leq-one IP forwarding time-to-live is less than one Err Yes
Host unreachable host-unreachable Host unreachable error Err Yes
LAND Attack land-attack Spoofed TCP SYN packet attack Flood Yes
Unknown TCP option type unk-tcp-opt-type Unknown TCP option type Detection only Yes
TIDCMP tidcmp ICMP source quench attack Detection only Yes