In this task, you create the DoS Protection profile and configure SIP settings at
the same time. However, you can configure SIP attack detection settings in a DoS profile
that already exists.
The BIG-IP® system handles SIP attacks that use malformed
packets, protocol errors, and malicious attack vectors. Protocol error attack detection
settings detect malformed and malicious packets, or packets that are employed to flood
the system with several different types of responses. You can configure settings to
identify SIP attacks with a DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The Create New DoS Profile screen opens.
-
Under Profile Information, click General Settings, and
in the Profile Name field, type the name for the
profile.
-
To configure SIP security settings, click Protocol SIP
Protection, click Edit in the far right
column, then select Enabled.
-
To enable attack detection based on the rate of protocol errors, next to
Protocol Errors Attack Detection, click
Edit in the far right column, then select
Enabled.
-
In the Rate Increased by % field, type the rate of
change in protocol errors to detect as anomalous.
The rate of detection compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
-
In the Rate threshold field, type the rate of packets
with errors per second to detect.
This threshold sets an absolute limit which, when exceeded, registers an
attack.
-
In the Rate limit field, type the absolute limit for
packets per second with protocol errors. Packets that exceed this limit are
dropped.
-
To change the threshold or rate increase for a particular SIP method, in the
SIP Method Attack Detection settings, click
Edit in the far right column, select the
Enabled check box for each request type that you want
to change, then change the values for Threshold,
Rate Increase and Rate Limit
in the associated fields.
For example, to change the threshold for NOTIFY requests to 9,999 per second,
or an increase of 250% over the average, select the
Enabled check box next to
notify, then set the Threshold field to
9999 and the Rate Increase field to
250. To rate limit such requests to 33,000 packets
per second, set the Rate Limit field to
33000.
The Rate Increase compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
Note: SIP request detection allows you to configure the thresholds
at which the firewall registers an attack. However, packets are dropped at
the Rate Limit setting, not at the attack detection
threshold.
-
To detect IP address sources from which possible attacks originate, enable
Bad Actor Detection.
-
In the Per Source IP Detection (PPS) field, specify the
number of packets of this type per second from one IP address that identifies
the IP source as a bad actor, for purposes of attack detection and logging.
-
In the Per Source IP Rate Limit (PPS) field, specify the
number of packets of this type per second from one IP address, above which rate
limiting or leak limiting occurs.
-
To automatically blacklist bad actor IP addresses, select Blacklist
Attacking Address.
Note: Automatic IP address blacklisting is enabled only when
Bad Actor Detection is enabled.
-
In the Blacklist Detection Period field, specify the
duration in seconds after which the attacking endpoint is blacklisted. By
default, the configuration adds an IP address to the blacklist after one minute
(60 seconds). Enabled.
-
In the Blacklist Duration field, specify the amount of
time in seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisements.
Note: To advertise to edge routers, you must configure a Blacklist
Publisher at for the blacklist category.
-
Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to
malformed SIP attacks, and SIP flood attacks, and to allow such attacks to be identified
in system logs and reports.
Associate the DoS Protection profile with a virtual server to apply the settings in
the profile to traffic on that virtual server. When a SIP attack on a specific query
type is detected, you can be alerted with various system monitors.