A sweep attack is a network scanning technique that typically sweeps your network
by sending packets, and using the packet responses to determine live hosts. Typical attacks use
ICMP to accomplish this.
The sweep vector tracks packets by source address. Packets from a specific source that meet the
defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also
configure the sweep vector to automatically blacklist an IP address from which the sweep attack
originates.
Important: The sweep mechanism protects
against a flood attack from a single source, whether that attack is to a single destination host,
or multiple hosts.
A flood attack is a an attack technique that floods your network with packets of a
certain type, in an attempt to overwhelm the system. A typical attack might flood the system with
SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your
network with a large amount of UDP packets, requiring the system to verify applications and send
responses.
The flood vector tracks packets per destination address. Packets to a specific destination that
meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.
The BIG-IP® system can detect such attacks with a configurable detection
threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of
ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address,
according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts
first, so a packet flood from a single source address to a single destination address is handled
by the sweep vector.
You can configure DoS sweep and flood prevention through DoS Protection >Device
Configuration > Network Security.
Task list
Detecting and protecting against single endpoint DoS flood attacks
With the DoS Protection Device Configuration screen settings, you can set detection
thresholds and rate limits for DoS flood attacks.
-
On the Main tab, click .
The Network Security screen opens to Device Configuration.
-
In the Category column, expand the
Single-Endpoint category.
-
Click Single Endpoint Flood.
The Single Endpoint Flood settings open on the
right side of the screen.
-
Next to the DoS vector name, select Enforce.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second)
for the attack detection threshold. If packets of the specified types cross
the threshold, an attack is logged and reported. The system continues to
check every second, and registers an attack for the duration that the
threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Rate Limit Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second),
which cannot be exceeded by packets of this type. All packets of this type
over the threshold are dropped. Rate limiting continues until the rate no
longer exceeds.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.
-
Select the Blacklist Address check box to enable
automatic blacklisting.
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
In the Detection Time field, specify the duration in
seconds after which the attacking endpoint is blacklisted. By default, the
configuration adds an IP address to the blacklist after one minute (60 seconds).
Enabled.
-
In the Duration field, specify the amount of time in
seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisement.
Note: To advertise to
edge routers, you must configure a Blacklist Publisher at for the blacklist category.
-
In the Packet Type area, select the packet types you
want to detect for this attack type in the Available
list, and click << to move them to the
Selected list.
-
Click the Update button.
The flood attack configuration is updated on the Device Protection
screen.
Now you have configured the system to provide protection against DoS flood attacks, and to
allow such attacks to be identified in system logs and reports.
Configure sweep attack prevention, and configure any other DoS responses, in the DoS device
configuration. Configure whitelist entries for addresses that you specifically want to bypass all
DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your
system.
Detecting and protecting against DoS sweep attacks
With the DoS Protection Device Configuration screen settings, you can set detection
thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP
addresses that you detect perpetrating such attacks.
-
On the Main tab, click .
The Network Security screen opens to Device Configuration.
-
In the Category column, expand the
Single-Endpoint category.
-
Click Single Endpoint Sweep.
The Single Endpoint Sweep settings open on the right side of the
screen.
-
Next to the DoS vector name, select Enforce.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second)
for the attack detection threshold. If packets of the specified types cross
the threshold, an attack is logged and reported. The system continues to
check every second, and registers an attack for the duration that the
threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Rate Limit Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second),
which cannot be exceeded by packets of this type. All packets of this type
over the threshold are dropped. Rate limiting continues until the rate no
longer exceeds.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.
-
Select the Blacklist Address check box to enable
automatic blacklisting.
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
In the Detection Time field, specify the duration in
seconds after which the attacking endpoint is blacklisted. By default, the
configuration adds an IP address to the blacklist after one minute (60 seconds).
Enabled.
-
In the Duration field, specify the amount of time in
seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisement.
Note: To advertise to
edge routers, you must configure a Blacklist Publisher at for the blacklist category.
-
In the Packet Type area, select the packet types you
want to detect for this attack type in the Available
list, and click << to move them to the
Selected list.
-
Click the Update button.
The sweep attack configuration is updated on the Device Protection
screen.
Now you have configured the system to provide protection against DoS sweep attacks,
to allow such attacks to be identified in system logs and reports, and to automatically
add such attackers to a blacklist of your choice.
Configure flood attack prevention, and configure any other DoS responses, in the
DoS device configuration. Configure whitelist entries for addresses that you
specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and
reporting for DoS attacks, to track threats to your system.
Detecting and protecting against UDP flood attacks
With the DoS Protection Device Configuration screen settings, you can set detection
thresholds and rate limits for UDP flood attacks.
-
On the Main tab, click .
The Network Security screen opens to Device Configuration.
-
In the Category column, expand the
Flood category.
-
Click UDP Flood.
The UDP Flood screen opens.
-
Next to the DoS vector name, select Enforce.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second)
for the attack detection threshold. If packets of the specified types cross
the threshold, an attack is logged and reported. The system continues to
check every second, and registers an attack for the duration that the
threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Detection Threshold Percent list, select
Specify or Infinite.
- Use
Specify to set a value (in percentage of traffic)
for the attack detection threshold. If packets of the specified types cross
the percentage threshold, an attack is logged and reported. The system
continues to check every second, and registers an attack for the duration
that the threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Rate Limit Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second),
which cannot be exceeded by packets of this type. All packets of this type
over the threshold are dropped. Rate limiting continues until the rate no
longer exceeds.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.
-
Select Simulate Auto Threshold to log the results of the
current automatic thresholds, when enforcing manual thresholds.
-
To detect IP address sources from which possible attacks originate, enable
Bad Actor Detection.
Note: Bad Actor
Detection is not available for every vector.
-
In the Per Source IP Detection (PPS) field, specify the
number of packets of this type per second from one IP address that identifies
the IP source as a bad actor, for purposes of attack detection and logging.
-
In the Per Source IP Rate Limit (PPS) field, specify the
number of packets of this type per second from one IP address, above which rate
limiting or leak limiting occurs.
-
To change the threshold, rate increase, rate limit, and blacklist settings for
a sweep attack, in the Network Attack Types area, click
Edit in the far right column, select
Sweep, and select the Enabled
check box. Change the values for Threshold,
Rate Increase, and Rate Limit
in the associated fields.
For example, to change the detection threshold for IP fragments to 9,999 per
second, or an increase of 250% over the average, in Attack Types, click IP
Fragment Flood, click the Enabled check box next to
IP Fragment Flood, then set the
Threshold field to 9999 and
the Rate Increase field to 250. To
rate limit such requests to 33,000 packets per second, set the Rate
Limit field to 33000.
The Rate Increase compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
Note: The Attack
Types area allows you to configure the thresholds at which the firewall
registers an attack. However, packets are dropped at the Rate
Limit setting, not at the attack detection threshold.
-
Select the Blacklist Address check box to enable
automatic blacklisting.
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
In the Detection Time field, specify the duration in
seconds after which the attacking endpoint is blacklisted. By default, the
configuration adds an IP address to the blacklist after one minute (60 seconds).
Enabled.
-
In the Duration field, specify the amount of time in
seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisement.
Note: To advertise to
edge routers, you must configure a Blacklist Publisher at for the blacklist category.
-
From the Port List Type list, select Include
All Ports or Exclude All Ports.
An Include list checks all the ports you specify in the Port
List, using the specified threshold criteria, and ignores all others.
An Exclude list excludes all the ports you specify in the Port
List from checking, using the specified threshold criteria, and checks all
others. To check all UDP ports, specify an empty exclude list.
-
In the UDP Port List area, type a port number to add to
an exclude or include UDP port list.
-
In the UDP Port List area, select the mode for each port
number you want to add to an exclude or include UDP port list.
-
None does not include or exclude the
port.
-
Source
only includes or excluded the port from source packets
only.
-
Destination
only includes or excludes the port for destination packets
only.
-
Both Source
and Destination includes or excludes the port in both source
and destination packets.
-
Click the Update button.
The UDP Flood attack configuration is updated on the DoS Device
Configuration screen.
You have now configured the system to
provide customized protection against UDP flood attacks, and to allow such attacks to be
identified in system logs and reports.
Configure sweep and flood attack prevention, and configure any other DoS responses, in the
DoS device configuration screens. Configure whitelist entries for addresses that you specifically
choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to
track threats to your system.