A dynamic DoS attack is a DoS
attack that doesn't fit predefined DoS vector criteria. Using dynamic DoS attack detection, such
attacks can be detected and mitigated automatically by AFM. Dynamic DoS detection creates vector
signatures for attacks based on changing traffic patterns over time. When an attack is detected,
a vector signature is created and added to a list of dynamic vectors. All packets are then
checked against the dynamic vector, and mitigated according to internal logic. When packet
processing on the system falls back to normal levels, the signature no longer appears as an
attack, and is removed from the dynamic signature list.
Detection modes
The following modes are available for dynamic DoS detection.
-
Disabled
- In this mode, no dynamic DoS detection occurs.
-
Learn-Only
- In this mode, the system establishes a baseline for packet processing on AFM. Learn-Only
mode detects traffic patterns, establishes a baseline, and detects anomalies, but does not
generate logs or dynamic DoS vector signatures. Attacks are not mitigated in Learn-Only
mode.
-
Enabled
- In this mode, the system monitors traffic, compares traffic changes over time, and detects
anomalies. Attacks are logged, dynamic DoS vector signatures are generated, packets are
compared to the dynamic DoS vector signature, and attacks are mitigated. When an attack
ceases, the dynamic DoS vector signature is removed from the list of signatures.
Mitigation Sensitivity
Mitigation sensitivity establishes how aggressively the system mitigates dynamic DoS attacks.
You can set this to None, Low,
Medium, or High. By default, mitigation
sensitivity is set to None. Low sensitivity is the
least aggressive, at the risk of allowing more attack packets through.
High drops packets more aggressively, even when attack confidence is
lower.
Redirection/Scrubbing
You can configure redirection and scrubbing to handle mitigation of dynamic DoS signatures
with an IP Intelligence category. The following parameters can be configured for redirection and
scrubbing.
-
Scrubbing Category
- You can select an IP Intelligence category for IP addresses blocked by dynamic DoS
signatures. By default, the IP intelligence category for scrubbed IP addresses is
attacked_ips.
-
Scrubbing Advertisement Time
- This is the duration for which a mitigated IP is advertised to the IP Intelligence
mechanism for scrubbing. The default is 300 seconds.
Start Relearning
The Start Relearning option clears historical data, thresholds and
signatures for the dynamic DoS detection system. The Dynamic DoS signature baseline is
re-established. Relearning occurs for a period of 60 minutes.
Task list
Detecting dynamic DoS network attacks on a
virtual server
You enable dynamic DoS signatures on
a virtual server to detect dynamic DoS attacks at a more granular level than the global
level.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click the name of an existing DoS profile (or create a new one).
The DoS Profile Properties screen for that profile opens.
-
To configure network security settings, click Network
Security.
-
Under Dynamic Signatures, from the Enforcement list,
select Enabled.
-
From the Mitigation Sensitivity list, select the
sensitivity level for dropping packets.
- Select
None to generate and log dynamic signatures,
without dropping packets.
- To drop packets, set the
mitigation level from Low to
High.A setting of Low is
least aggressive, but will also trigger fewer false positives. A setting of
High is most aggressive, and the system may drop
more false positive packets.
-
To have dynamic signatures handled by an IP Intelligence category, from the
Redirection/Scrubbing list, select
Enabled.
-
In the Scrubbing Advertisement Time field, specify the
amount of time to advertise the scrubbed IP address to the IP Intelligence
category.
-
Click Update to save the DoS profile.
You have configured the DoS profile
to detect dynamic DoS vectors and mitigate such attacks.
Next, you associate the DoS profile
with a virtual server to enable network DoS protection.