You can configure DNS attack settings in a DoS profile that already exists.
The BIG-IP® system handles DNS attacks that use malformed
packets, protocol errors, and malicious attack vectors. Protocol error attack detection
settings detect malformed and malicious packets, or packets that are employed to flood
the system with several different types of responses, by detecting packets per second
and detecting percentage increase in packets over time . You can configure settings to
identify and rate limit possible DNS attacks with a DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The Create New DoS Profile screen opens.
-
Under Profile Information, click General Settings, and
in the Profile Name field, type the name for the
profile.
-
To configure DNS security settings, click Protocol DNS,
click Edit in the far right column, then select
Enabled.
-
To enable attack detection based on the rate of protocol errors, next to
Protocol Errors Attack Detection, click
Edit in the far right column, then select
Enabled.
-
In the Rate Increased by % field, type the rate of
change in protocol errors to detect as anomalous.
The rate of detection compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
-
In the Rate threshold field, type the rate of packets
with errors per second to detect.
This threshold sets an absolute limit which, when exceeded, registers an
attack.
-
In the Rate limit field, type the absolute limit for
packets per second with protocol errors. Packets that exceed this limit are
dropped.
-
To change the threshold or rate increase for a particular DNS record, in the
DNS Query Attack Detection area, click Edit in the far
right column, select the Enabled check box for each
record type that you want to configure, then change the values for
Threshold, Rate Increase, and
Rate Limit in the associated fields.
For example, to change the detection threshold for IPv6 address requests to
9,999 per second, or an increase of 250% over the average, select the
Enabled check box next to
aaaa, then set the Threshold field
to 9999 and the Rate Increase
field to 250. To rate limit such requests to 33,000
packets per second, set the Rate Limit field to
33000.
The Rate Increase compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
Note:
DNS Query Attack Detection allows you
to configure the thresholds at which the firewall registers an attack.
However, packets are dropped at the Rate Limit
setting, not at the attack detection threshold.
-
To detect IP address sources from which possible attacks originate, enable
Bad Actor Detection.
-
In the Per Source IP Detection (PPS) field, specify the
number of packets of this type per second from one IP address that identifies
the IP source as a bad actor, for purposes of attack detection and logging.
-
In the Per Source IP Rate Limit (PPS) field, specify the
number of packets of this type per second from one IP address, above which rate
limiting or leak limiting occurs.
-
To automatically blacklist bad actor IP addresses, select Blacklist
Attacking Address.
Note: Automatic IP address blacklisting is enabled only when
Bad Actor Detection is enabled.
-
Specify the Detection Time, in seconds, after which an
IP address is blacklisted.
When a Bad Actor IP address exceeds the Per Source IP Detection
PPS setting for the Detection Time
period, that IP address is added to the blacklist.
-
To change the duration for which the address is blacklisted, specify the
duration in seconds in the Duration field. The default
duration for an automatically blacklisted item is 4 hours
(14400 seconds).
After this time period, the IP address is removed from the blacklist.
-
Select the Blacklist Category to which blacklist entries
generated by Bad Actor Detection are added.
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisements.
Note: To advertise to edge routers, you must configure a Blacklist
Publisher at for the blacklist category.
-
Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to
malicious DNS attacks, and DNS flood attacks, to allow such attacks to be identified in
system logs and reports, and to allow rate limiting of such attacks. DNS queries on
particular record types you have configured in the DNS Query Attack Detection area are
detected as attacks at your specified thresholds and rate increases, and rate limited as
specified.
Associate a DNS profile with a virtual server to enable the virtual server to
handle DNS traffic. Associate the DoS Protection profile with a virtual server to apply
the settings in the profile to traffic on that virtual server.