Manual Chapter : Detecting and Preventing DNS DoS Attacks on a Virtual Server

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.1, 13.1.0
Manual Chapter

About preventing DNS DoS attacks on a virtual server

DNS DoS protection is a type of protocol security. DNS DoS attack detection and prevention serves several functions:

  • To detect and report on DNS packets based on behavior characteristics of the sender, or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit DNS packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can use the DNS DoS Protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular DNS query type, or an increase in anomalous packets. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.

You can specify an address list as a whitelist, that the DoS checks allow. Whitelisted addresses are passed by the DoS profile, without being subject to the checks in the DoS profile.

Per-virtual server DoS protection requires that your virtual server includes a DoS profile that includes DNS security.

Task list

Detecting and protecting against DNS DoS attacks with a DoS profile

You can configure DNS attack settings in a DoS profile that already exists, or create a new one.
The BIG-IP® system handles DNS attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses, by detecting packets per second and detecting percentage increase in packets over time. You can configure settings to identify and rate limit possible DNS attacks with a DoS profile.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The New DoS Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. Click Finished.
    The DoS Protection: DoS Profiles screen opens.
  5. Click the name of the DoS profile you want to modify.
  6. Select the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  7. If you have created a whitelist on the system, in the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the list when the name appears.
  8. To configure DNS security settings, click Protocol Security, and choose DNS Security.
  9. To configure enforcement and settings for a DNS vector, in the Attack Type column, click the vector name.
    The vector properties pane opens on the right.
  10. From the State list, choose the appropriate enforcement option.
    • Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  11. For Threshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection / Auto Mitigation), or, you can control the settings (Fully Manual).
    The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
  12. To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic.
    1. In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
  13. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  14. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  15. From the Category Name list, select the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
  16. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  17. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  18. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  19. Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to malicious DNS protocol attacks, to allow such attacks to be identified in system logs and reports, and to allow rate limiting and other actions when such attacks are detected. DNS queries on particular record types you have configured in the DNS Query Attack Detection area are detected as attacks at your specified thresholds and rate increases, and rate limited as specified.
Associate a DNS profile with a virtual server to enable the virtual server to handle DNS traffic. Associate the DoS Protection profile with a virtual server to apply the settings in the profile to traffic on that virtual server.

Creating a custom DNS profile to firewall DNS traffic

Ensure that you have a DNS security profile created before you configure this system DNS profile.
You can create a custom DNS profile to configure the BIG-IP® system firewall traffic through the system.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the DNS Traffic area, from the DNS Security list, select Enabled.
  7. In the DNS Traffic area, from the DNS Security Profile Name list, select the name of the DNS firewall profile.
  8. Click Finished.
Assign the custom DNS profile to the virtual server that handles the DNS traffic that you want to firewall.

Assigning a DNS profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the DNS Profile list, select the profile you want to assign to the virtual server.
  5. Click Update.
The virtual server now handles DNS traffic.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the virtual server requires an HTTP profile (such as the default http).
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, from the Security menu, choose Policies.
  4. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  5. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Allowing addresses to bypass DoS profile checks

You can specify whitelisted addresses that the DoS Profile does not subject to DoS checks. Whitelist entries are specified on a security address list, and can be configured directly on the DoS Profile screen.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click the name of the DoS profile you want to modify.
  3. If you have created a whitelist on the system, in the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the list when the name appears.
  4. To define an address list to use as a whitelist, on the right side of the screen in the Shared Objects pane, click the + next to Address Lists.
    The Address List Properties pane opens.
  5. Type a Name for the address list.
  6. In the Contents field, type an address, and click Add. Repeat this step to add all items you want on the whitelist.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  7. Click Update to create the address list.
    If this is a new address list, type and select the address list name in the Default Whitelist field.
  8. Click Update to update the DoS Profile.
You have now configured a whitelist of addresses to bypass DoS checks for a DoS profile.

Creating a logging profile to log DNS attacks

Create a custom logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Profile Name field, type a name for the logging profile.
  4. Select the Protocol Security check box.
  5. In the DNS Security area, from the Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  6. Select the Log Dropped Requests check box, to enable the BIG-IP system to log dropped DNS requests.
  7. Select the Log Filtered Dropped Requests check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    Note: The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  8. Select the Log Malformed Requests check box to enable the BIG-IP system to log malformed DNS requests.
  9. Select the Log Rejected Requests check box to enable the BIG-IP system to log rejected DNS requests.
  10. Select the Log Malicious Requests check box to enable the BIG-IP system to log malicious DNS requests.
  11. From the Storage Format list, select how the BIG-IP system formats the log.
    Option Description
    None Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  12. In the Logging Profile Properties, select the DoS Protection check box.
    The DoS Protection tab opens.
  13. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  14. Click Finished.
Assign this custom DoS Protection Logging profile to a virtual server.

Logging DoS events on a virtual server

Ensure that at least one log publisher exists on the BIG-IP® system.
Assign a custom logging profile to a virtual server when you want the system to log DoS protection events for the traffic the virtual server processes.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays policy settings for the virtual server.
  4. In the Log Profile setting, select Enabled. Then, select one or more profiles, and move them from the Available list to the Selected list.
  5. Click Update to save the changes.