A sweep attack is a network scanning technique that typically sweeps your network
by sending packets, and using the packet responses to determine live hosts. Typical attacks use
ICMP to accomplish this.
The Sweep vector tracks packets by source address. Packets from a specific source that meet the
defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also
configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack
originates.
Important: The sweep mechanism protects against a flood attack from a single source,
whether that attack is to a single destination host, or multiple hosts.
A flood attack is a an attack technique that floods your network with packets of a
certain type, in an attempt to overwhelm the system. A typical attack might flood the system with
SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your
network with a large amount of UDP packets, requiring the system to verify applications and send
responses.
The Flood vector tracks packets per destination address. Packets to a specific destination that
meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.
The BIG-IP® system can detect such attacks with a configurable detection
threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of
ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address,
according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts
first, so a packet flood from a single source address to a single destination address is handled
by the sweep vector.
You can configure DoS sweep and flood prevention through DoS Protection: Device
Configuration.
Task list
Detecting and protecting against DoS sweep attacks
With the DoS Protection Device Configuration screen settings, you can set detection
thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP
addresses that you detect perpetrating such attacks.
-
On the Main tab, click .
The DoS Protection Device Configuration screen opens.
-
To log DoS events to a log publisher, from the Log
Publisher list, select a destination to which the BIG-IP® system sends DoS and DDoS log entries, and click
Update.
-
In the Category column, expand the Single
Endpoint category.
-
Click Single Endpoint Sweep.
The Single Endpoint Sweep screen opens.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use Specify to set a value (in packets per
second) for the attack detection threshold. If packets of the specified
types cross the threshold, an attack is logged and reported. The system
continues to check every second, and registers an attack for the duration
that the threshold is exceeded.
- Use Infinite to set no value for the threshold.
This specifies that this type of attack is not logged or reported based on
this threshold.
-
From the Rate Limit list, select
Specify or Infinite.
- Use Specify to set a value (in packets per
second), which cannot be exceeded by packets of this type. All packets of
this type over the threshold are dropped. Rate limiting continues until the
rate no longer exceeds.
- Use Infinite to set no value for the threshold.
This specifies that this type of attack is not rate-limited.
-
In the Packet Type area, select the packet types you
want to detect for this attack type in the Available
list, and click << to move them to the
Selected list.
-
In the Additional Actions area, select Categorize
address and configure the settings. You can select a black list
category from the list, specify the detection time in seconds after which the
attacking endpoint is blacklisted, and specify the duration for which the
address remains assigned to the category. By default, the configuration adds an
IP address to the blacklist after one minute (60 seconds), and the IP address is
blacklisted for 4 hours (14400 seconds).
-
To change the duration for which the address is blacklisted, specify the
duration in seconds in the Duration field. The default
duration for an automatically blacklisted item is 4 hours
(14400 seconds).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisements.
Note: To advertise to edge routers, you must configure a Blacklist
Publisher at for the blacklist category.
-
Click the Update button.
The sweep attack configuration is updated, and the DoS Protection Device
Configuration screen opens again.
Now you have configured the system to provide protection against DoS sweep attacks,
to allow such attacks to be identified in system logs and reports, and to automatically
add such attackers to a blacklist of your choice.
Configure flood attack prevention, and configure any other DoS responses, in the
DoS device configuration. Configure whitelist entries for addresses that you
specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and
reporting for DoS attacks, to track threats to your system.