Applies To:
Show VersionsBIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About detecting and protecting against DoS, DDoS, and protocol attacks
Attackers can target the BIG-IP® system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS attack routes. These DoS attack prevention methods are available when theBIG-IP® Advanced Firewall Manager™ is licensed and provisioned.
- DoS and DDoS attacks
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a machine or network resource unavailable to users. DoS attacks involve the efforts of one or more sources to disrupt the services of one or more hosts connected to the Internet.
- DNS and SIP flood (or DoS) attacks
- Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension, or a particular SIP request type. The BIG-IP system allows you to track such attacks, using the DoS Protection profile.
- DoS Sweep and Flood attacks
- A sweep attack is a network scanning technique that sweeps your network by sending packets, and using the packet responses to determine responsive hosts. Sweep and flood attack prevention allows you to configure system thresholds for packets that conform to typical sweep or flood attack patterns. This configuration is set in the DoS Device Configuration.
- Malformed DNS packets
- Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
- Malformed SIP packets
- Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
- Protocol exploits
- Attackers can send DNS requests using unusual DNS query types or OpCodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS OpCodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks. This configuration is set in the DNS Security profile.
About profiles for DoS and protocol service attacks
On the BIG-IP® system, you can use different types of profiles to detect and protect against system DoS attacks, to rate limit possible attacks, and to automatically blacklist IP addresses when identified as Bad Actors. You can configure settings for specific protocol attacks for DNS and SIP, and other network attacks.
- DoS Protection profile
- With the DoS Protection profile you can configure settings for DoS protection that you can apply to a virtual server, to protect a specific application or server. You can configure the DoS profile to provide specific attack prevention at a more granular level than the Device DoS profile. In a DoS Profile, you can:
- DNS Protocol Security Profile
- The DNS Security Profile is a separate profile that you specify in a DNS service profile, to provide security features. The DNS Security Profile allows you to configure the BIG-IP system to exclude (drop) or include (allow) packets of specific DNS query record types. You can also configure the profile to exclude (drop) the DNS QUERY header OpCode.
- HTTP Protocol Security Profile
- The HTTP Security Profile allows you to configure the AFM system to perform HTTP protocol
checks, HTTP request checks, and to present a blocking page if a check fails. You can attach an
HTTP Security profile to a virtual server.Important: You can attach an HTTP security profile only to a virtual server that is already configured with an HTTP profile.
- SSH Proxy Protocol Security Profile
- The SSH Proxy Security Profile allows you to configure the AFM system to allow or block SSH proxy commands, based on criteria including user name,