F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
  5. Detecting and Preventing System DoS and DDoS Attacks
Manual Chapter : Detecting and Preventing System DoS and DDoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Detecting and Preventing System DoS and DDoS Attacks

About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

DoS and DDoS attack detection and prevention is enabled by the BIG-IP® Advanced Firewall Manager™ (AFM™) Device DoS profile. DoS and DDoS detection and prevention serves two functions. DoS detection and prevention features are enabled with an Advanced Firewall Manager license, which also includes DNS protocol detection support.

  • To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.
  • To determine unusual increases in packets of specific types that are known attack vectors. Possible attack vectors are tracked over the past hour, and current possible attacks are compared to the average of that hour.

You can configure the levels at which a BIG-IP device detects all system-supported DoS attacks.

Detecting and protecting against DoS and DDoS attacks

The BIG-IP® system handles DoS and DDoS attacks with preconfigured responses. With the DoS Protection Device Configuration, you set detection thresholds and internal rate limits for a range of DoS and DDoS attack vectors.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. If you are using remote logging, from the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
  3. In the Category column, expand a category to view and edit the attack types for that category.
  4. In the Attack Type column, click the name of any attack type to edit the settings.
    The configuration page for the particular attack appears.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value for the attack detection threshold. The value is determined by an average of the packets per second over the last minute. If packets of this type cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  6. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set the percentage increase value, that specifies an attack is occurring. The system compares the current rate to an average rate from the last hour. For example, if the average rate for the last hour is 1000 packets per second, and you set the percentage increase threshold to 100, an attack is detected at 100 percent above the average, or 2000 packets per second. When the threshold is passed, an attack is logged and reported.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  7. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value, in packets per second, which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
    Important: If a packet is determined to be an error packet, that packet is dropped, regardless of these settings.
  8. Click the Update button.
    The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  9. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Device DoS attack types

You can specify specific threshold, rate increase, rate limit, and other parameters for supported device DoS attack types, to more accurately detect, track, and rate limit attacks.

Attention: All hardware-supported vectors are performed in hardware on vCMP guests, as long as the vCMP guests have the same software version as the vCMP host.
DoS Category Attack Name Dos Vector Name Information Hardware accelerated
Bad Header - DNS DNS Oversize dns-oversize Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192. Yes
Bad Header - ICMP Bad ICMP Checksum bad-icmp-chksum An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet Yes
  Bad ICMP Frame bad-icmp-frame The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6 types.
Valid IPv4 types:
  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded
  • 12 Parameter Problem
  • 13 Timestamp
  • 14 Timestamp Reply
  • 15 Information Request
  • 16 Information Reply
  • 17 Address Mask Request
  • 18 Address Mask Reply
Valid IPv6 types:
  • 1 Destination Unreachable
  • 2 Packet Too Big
  • 3 Time Exceeded
  • 4 Parameter Problem
  • 128 Echo Request
  • 129 Echo Reply
  • 130 Membership Query
  • 131 Membership Report
  • 132 Membership Reduction
Yes
  ICMP Frame Too Large icmp-frame-too-large The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. Yes
Bad Header - IGMP Bad IGMP Frame bad-igmp-frame IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. Yes
Bad Header - IPv4 Bad IP TTL Value bad-ttl-val Time-to-live equals zero for an IPv4 address. Yes
  Bad IP Version bad-ver The IPv4 address version in the IP header is not 4. Yes
  Header Length > L2 Length hdr-len-gt-l2-len No room in layer 2 packet for IP header (including options) for IPv4 address Yes
  Header Length Too Short hdr-len-too-short IPv4 header length is less than 20 bytes Yes
  Bad Source ip-bad-src The IPv4 source IP = 255.255.255.255 or 0xe0000000U Yes
  IP Error Checksum ip-err-chksum The header checksum is not correct Yes
  IP Length > L2 Length ip-len-gt-l2-len Total length in IPv4 address header or payload length in IPv6 address header is greater than the layer 3 length in a layer 2 packet Yes
  TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
  IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options Yes
  IP Option Illegal Length bad-ip-opt Option present with illegal length No
  L2 Length >> IP Length l2-len-ggt-ip-len Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size Yes
  No L4 no-l4 No layer 4 payload for IPv4 address Yes
  Unknown Option Type unk-ipopt-type Unknown IP option type No
Bad Header - IPv6 IPv6 extended headers wrong order bad-ext-hdr-order Extension headers in the IPv6 header are in the wrong order Yes
  Bad IPV6 Hop Count bad-ipv6-hop-cnt Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad. Yes
  Bad IPV6 Version bad-ipv6-ver The IPv6 address version in the IP header is not 6 Yes
  IPv6 duplicate extension headers dup-ext-hdr An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. Yes
  IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
  IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
  Bad IPv6 source ipv6-bad-src IPv6 source IP = 0xff00:: Yes
  IPV6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Yes
  IPV6 Length > L2 Length ipv6-len-gt-l2-len IPv6 address length is greater than the layer 2 length Yes
  IPV6 Source Address == Destination Address   IPv6 packet source address is the same as the destination address Yes
  No L4 (Extended Headers Go To Or Past End of Frame) l4-ext-hdrs-go-end Extended headers go to the end or past the end of the L4 frame Yes
  Payload Length < L2 Length payload-len-ls-l2-len Specified IPv6 payload length is less than the L2 packet length Yes
  Too Many Extended Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
Bad Header - L2 Ethernet MAC Source Address == Destination Address ether-mac-sa-eq-da Ethernet MAC source address equals the destination address. Yes
Bad Header - TCP Bad TCP Checksum bad-tcp-chksum The TCP checksum does not match Yes
  Bad TCP Flags (All Cleared) bad-tcp-flags-all-clr Bad TCP flags (all cleared and SEQ#=0) Yes
  Bad TCP Flags (All Flags Set) bad-tcp-flags-all-set Bad TCP flags (all flags set) Yes
  FIN Only Set fin-only-set Bad TCP flags (only FIN is set) Yes
  Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length Yes
  SYN && FIN Set syn-and-fin-set Bad TCP flags (SYN and FIN set) Yes
  TCP Flags - Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious Yes
  TCP Header Length > L2 Length tcp-hdr-len-gt-l2-len   Yes
  TCP Header Length Too Short (Length < 5) tcp-hdr-len-too-short The Data Offset value in the TCP header is less than five 32-bit words Yes
  TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header. Yes
  Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type Yes
Bad Header - UDP Bad UDP Checksum bad-udp-chksum The UDP checksum is not correct Yes
  Bad UDP Header (UDP Length > IP Length or L2 Length) bad-udp-hdr UDP length is greater than IP length or layer 2 length Yes
DNS DNS AAAA Query dns-aaaa-query UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS Any Query dns-any-query UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS AXFR Query dns-axfr-query UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS A Query dns-a-query UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS CNAME Query dns-cname-query UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS IXFR Query dns-ixfr-query UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS Malformed dns-malformed Malformed DNS packet Yes
  DNS MX Query dns-mx-query UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS NS Query dns-ns-query UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS OTHER Query dns-other-query UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS PTR Query dns-ptr-query UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS QDCount Limit dns-qdcount-limit UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS Response Flood dns-response-flood UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.; Yes
  DNS SOA Query dns-soa-query UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS SRV Query dns-srv-query UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
  DNS TXT Query dns-txt-query UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. Yes
Flood ARP Flood arp-flood ARP packet flood Yes
  Ethernet Broadcast Packet ether-brdcst-pkt Ethernet broadcast packet flood Yes
  Ethernet Multicast Packet ether-multicst-pkt Ethernet destination is not broadcast, but is multicast Yes
  ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets Yes
  ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets Yes
  IGMP Flood igmp-flood Flood with IGMP packets (IPv4 packets with IP protocol number 2) Yes
  IGMP Fragment Flood igmp-frag-flood Fragmented packet flood with IGMP protocol Yes
  IPv4 Fragment Flood ip-frag-flood Fragmented packet flood with IPv4 Yes
  IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6 Yes
  Routing Header Type 0 routing-header-type-0 Routing header type zero is present in flood packets Yes
  TCP BADACK Flood tcp-ack-flood TCP ACK packet flood No
  TCP RST Flood tcp-rst-flood TCP RST flood Yes
  TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood Yes
  TCP SYN Flood tcp-syn-flood TCP SYN flood Yes
  TCP Window Size tcp-window-size The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. Yes
  UDP Flood udp-flood UDP flood attack Yes
Fragmentation ICMP Fragment icmp-frag ICMP fragment flood Yes
  IPV6 Atomic Fragment ipv6-atomic-frag

IPv6 Frag header present with M=0 and FragOffset =0

 Yes
  IPV6 Fragment Error ipv6-other-frag Other IPv6 fragment error No
  IPv6 Fragment Overlap ipv6-overlap-frag IPv6 overlapping fragment error No
  IPv6 Fragmentat Too Small ipv6-short-frag IPv6 short fragment error Yes
  IP Fragment Error ip-other-frag Other IPv4 fragment error No
  IP Fragment Overlap ip-overlap-frag IPv4 overlapping fragment error No
  IP Fragment Too Small ip-short-frag IPv4 short fragment error Yes
Single Endpoint Single Endpoint Flood flood Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting No
  Single Endpoint Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting No
SIP SIP ACK Method sip-ack-method SIP ACK packets No
  SIP BYE Method sip-bye-method SIP BYE packets No
  SIP CANCEL Method sip-cancel-method SIP CANCEL packets No
  SIP INVITE Method sip-invite-method SIP INVITE packets No
  SIP Malformed sip-malformed Malformed SIP packets No
  SIP MESSAGE Method sip-message-method SIP MESSAGE packets No
  SIP NOTIFY Method sip-notify-method SIP NOTIFY packets No
  SIP OPTIONS Method sip-options-method SIP OPTIONS packets No
  SIP OTHER Method sip-other-method SIP OTHER packets No
  SIP PRACK Method sip-prack-method SIP PRACK packets No
  SIP PUBLISH Method sip-publish-method SIP PUBLISH packets No
  SIP REGISTER Method sip-register-method SIP REGISTER packets No
  SIP SUBSCRIBE Method sip-subscribe-method SIP SUBSCRIBE packets No
Other Host Unreachable host-unreachable Host unreachable error Yes
  LAND Attack land-attack Spoofed TCP SYN packet attack Yes
  TIDCMP tidcmp ICMP source quench attack Yes
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information