Applies To:
Show VersionsBIG-IP AFM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Detecting and Preventing System DoS and DDoS Attacks
About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks
DoS and DDoS attack detection and prevention is enabled by the BIG-IP® Advanced Firewall Manager™ (AFM™) Device DoS profile. DoS and DDoS detection and prevention serves two functions. DoS detection and prevention features are enabled with an Advanced Firewall Manager license, which also includes DNS protocol detection support.
- To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.
- To determine unusual increases in packets of specific types that are known attack vectors. Possible attack vectors are tracked over the past hour, and current possible attacks are compared to the average of that hour.
You can configure the levels at which a BIG-IP device detects all system-supported DoS attacks.
Detecting and protecting against DoS and DDoS attacks
Device DoS attack types
You can specify specific threshold, rate increase, rate limit, and other parameters for supported device DoS attack types, to more accurately detect, track, and rate limit attacks.
DoS Category | Attack Name | Dos Vector Name | Information | Hardware accelerated |
---|---|---|---|---|
Bad Header - DNS | DNS Oversize | dns-oversize | Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192. | Yes |
Bad Header - ICMP | Bad ICMP Checksum | bad-icmp-chksum | An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet | Yes |
Bad ICMP Frame | bad-icmp-frame | The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6
types. Valid IPv4 types:
|
Yes | |
ICMP Frame Too Large | icmp-frame-too-large | The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. | Yes | |
Bad Header - IGMP | Bad IGMP Frame | bad-igmp-frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. | Yes |
Bad Header - IPv4 | Bad IP TTL Value | bad-ttl-val | Time-to-live equals zero for an IPv4 address. | Yes |
Bad IP Version | bad-ver | The IPv4 address version in the IP header is not 4. | Yes | |
Header Length > L2 Length | hdr-len-gt-l2-len | No room in layer 2 packet for IP header (including options) for IPv4 address | Yes | |
Header Length Too Short | hdr-len-too-short | IPv4 header length is less than 20 bytes | Yes | |
Bad Source | ip-bad-src | The IPv4 source IP = 255.255.255.255 or 0xe0000000U | Yes | |
IP Error Checksum | ip-err-chksum | The header checksum is not correct | Yes | |
IP Length > L2 Length | ip-len-gt-l2-len | Total length in IPv4 address header or payload length in IPv6 address header is greater than the layer 3 length in a layer 2 packet | Yes | |
TTL <= <tunable> | ttl-leq-one | An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. | Yes | |
IP Option Frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options | Yes | |
IP Option Illegal Length | bad-ip-opt | Option present with illegal length | No | |
L2 Length >> IP Length | l2-len-ggt-ip-len | Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size | Yes | |
No L4 | no-l4 | No layer 4 payload for IPv4 address | Yes | |
Unknown Option Type | unk-ipopt-type | Unknown IP option type | No | |
Bad Header - IPv6 | IPv6 extended headers wrong order | bad-ext-hdr-order | Extension headers in the IPv6 header are in the wrong order | Yes |
Bad IPV6 Hop Count | bad-ipv6-hop-cnt | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad. | Yes | |
Bad IPV6 Version | bad-ipv6-ver | The IPv6 address version in the IP header is not 6 | Yes | |
IPv6 duplicate extension headers | dup-ext-hdr | An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. | Yes | |
IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. | Yes | |
IPv6 hop count <= <tunable> | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. | Yes | |
Bad IPv6 source | ipv6-bad-src | IPv6 source IP = 0xff00:: | Yes | |
IPV6 Extended Header Frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames | Yes | |
IPV6 Length > L2 Length | ipv6-len-gt-l2-len | IPv6 address length is greater than the layer 2 length | Yes | |
IPV6 Source Address == Destination Address | IPv6 packet source address is the same as the destination address | Yes | ||
No L4 (Extended Headers Go To Or Past End of Frame) | l4-ext-hdrs-go-end | Extended headers go to the end or past the end of the L4 frame | Yes | |
Payload Length < L2 Length | payload-len-ls-l2-len | Specified IPv6 payload length is less than the L2 packet length | Yes | |
Too Many Extended Headers | too-many-ext-hdrs | For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. | Yes | |
Bad Header - L2 | Ethernet MAC Source Address == Destination Address | ether-mac-sa-eq-da | Ethernet MAC source address equals the destination address. | Yes |
Bad Header - TCP | Bad TCP Checksum | bad-tcp-chksum | The TCP checksum does not match | Yes |
Bad TCP Flags (All Cleared) | bad-tcp-flags-all-clr | Bad TCP flags (all cleared and SEQ#=0) | Yes | |
Bad TCP Flags (All Flags Set) | bad-tcp-flags-all-set | Bad TCP flags (all flags set) | Yes | |
FIN Only Set | fin-only-set | Bad TCP flags (only FIN is set) | Yes | |
Option Present With Illegal Length | opt-present-with-illegal-len | Option present with illegal length | Yes | |
SYN && FIN Set | syn-and-fin-set | Bad TCP flags (SYN and FIN set) | Yes | |
TCP Flags - Bad URG | tcp-bad-urg | Packet contains a bad URG flag, this is likely malicious | Yes | |
TCP Header Length > L2 Length | tcp-hdr-len-gt-l2-len | Yes | ||
TCP Header Length Too Short (Length < 5) | tcp-hdr-len-too-short | The Data Offset value in the TCP header is less than five 32-bit words | Yes | |
TCP Option Overruns TCP Header | tcp-opt-overruns-tcp-hdr | The TCP option bits overrun the TCP header. | Yes | |
Unknown TCP Option Type | unk-tcp-opt-type | Unknown TCP option type | Yes | |
Bad Header - UDP | Bad UDP Checksum | bad-udp-chksum | The UDP checksum is not correct | Yes |
Bad UDP Header (UDP Length > IP Length or L2 Length) | bad-udp-hdr | UDP length is greater than IP length or layer 2 length | Yes | |
DNS | DNS AAAA Query | dns-aaaa-query | UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes |
DNS Any Query | dns-any-query | UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS AXFR Query | dns-axfr-query | UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS A Query | dns-a-query | UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS CNAME Query | dns-cname-query | UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS IXFR Query | dns-ixfr-query | UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS Malformed | dns-malformed | Malformed DNS packet | Yes | |
DNS MX Query | dns-mx-query | UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS NS Query | dns-ns-query | UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS OTHER Query | dns-other-query | UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS PTR Query | dns-ptr-query | UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS QDCount Limit | dns-qdcount-limit | UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS Response Flood | dns-response-flood | UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.; | Yes | |
DNS SOA Query | dns-soa-query | UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS SRV Query | dns-srv-query | UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
DNS TXT Query | dns-txt-query | UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | Yes | |
Flood | ARP Flood | arp-flood | ARP packet flood | Yes |
Ethernet Broadcast Packet | ether-brdcst-pkt | Ethernet broadcast packet flood | Yes | |
Ethernet Multicast Packet | ether-multicst-pkt | Ethernet destination is not broadcast, but is multicast | Yes | |
ICMPv4 Flood | icmpv4-flood | Flood with ICMP v4 packets | Yes | |
ICMPv6 Flood | icmpv6-flood | Flood with ICMP v6 packets | Yes | |
IGMP Flood | igmp-flood | Flood with IGMP packets (IPv4 packets with IP protocol number 2) | Yes | |
IGMP Fragment Flood | igmp-frag-flood | Fragmented packet flood with IGMP protocol | Yes | |
IPv4 Fragment Flood | ip-frag-flood | Fragmented packet flood with IPv4 | Yes | |
IPv6 Fragment Flood | ipv6-frag-flood | Fragmented packet flood with IPv6 | Yes | |
Routing Header Type 0 | routing-header-type-0 | Routing header type zero is present in flood packets | Yes | |
TCP BADACK Flood | tcp-ack-flood | TCP ACK packet flood | No | |
TCP RST Flood | tcp-rst-flood | TCP RST flood | Yes | |
TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK flood | Yes | |
TCP SYN Flood | tcp-syn-flood | TCP SYN flood | Yes | |
TCP Window Size | tcp-window-size | The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. | Yes | |
UDP Flood | udp-flood | UDP flood attack | Yes | |
Fragmentation | ICMP Fragment | icmp-frag | ICMP fragment flood | Yes |
IPV6 Atomic Fragment | ipv6-atomic-frag |
IPv6 Frag header present with M=0 and FragOffset =0 |
Yes | |
IPV6 Fragment Error | ipv6-other-frag | Other IPv6 fragment error | No | |
IPv6 Fragment Overlap | ipv6-overlap-frag | IPv6 overlapping fragment error | No | |
IPv6 Fragmentat Too Small | ipv6-short-frag | IPv6 short fragment error | Yes | |
IP Fragment Error | ip-other-frag | Other IPv4 fragment error | No | |
IP Fragment Overlap | ip-overlap-frag | IPv4 overlapping fragment error | No | |
IP Fragment Too Small | ip-short-frag | IPv4 short fragment error | Yes | |
Single Endpoint | Single Endpoint Flood | flood | Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting | No |
Single Endpoint Sweep | sweep | Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting | No | |
SIP | SIP ACK Method | sip-ack-method | SIP ACK packets | No |
SIP BYE Method | sip-bye-method | SIP BYE packets | No | |
SIP CANCEL Method | sip-cancel-method | SIP CANCEL packets | No | |
SIP INVITE Method | sip-invite-method | SIP INVITE packets | No | |
SIP Malformed | sip-malformed | Malformed SIP packets | No | |
SIP MESSAGE Method | sip-message-method | SIP MESSAGE packets | No | |
SIP NOTIFY Method | sip-notify-method | SIP NOTIFY packets | No | |
SIP OPTIONS Method | sip-options-method | SIP OPTIONS packets | No | |
SIP OTHER Method | sip-other-method | SIP OTHER packets | No | |
SIP PRACK Method | sip-prack-method | SIP PRACK packets | No | |
SIP PUBLISH Method | sip-publish-method | SIP PUBLISH packets | No | |
SIP REGISTER Method | sip-register-method | SIP REGISTER packets | No | |
SIP SUBSCRIBE Method | sip-subscribe-method | SIP SUBSCRIBE packets | No | |
Other | Host Unreachable | host-unreachable | Host unreachable error | Yes |
LAND Attack | land-attack | Spoofed TCP SYN packet attack | Yes | |
TIDCMP | tidcmp | ICMP source quench attack | Yes |