Applies To:
Show VersionsBIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About detecting and preventing Network DoS attacks on a virtual server
Network DoS protection is a type of security that collects several DoS checks in a DoS profile. Attack detection and prevention serves several functions:
- To detect and report on packets based on behavior characteristics of the sender or characteristics of the packets, without enforcing any rate limits.
- To detect, report on, and rate limit packets based on behavior characteristics that signify specific known attack vectors.
- To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
- To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.
You can configure the Network DoS Protection profile to detect possible attack vectors by packet-per-second or percentage-increase-over-time thresholds, which can indicate that a possible attack is in process. Such attacks can be logged and reported through system logging facilities. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.
You can specify an address list as a whitelist that the DoS checks allow. Whitelisted addresses are passed by the DoS profile, without being subject to the checks in the DoS profile.
Per-virtual server DoS protection requires that your virtual server includes a DoS profile that includes network security.
Task list
Detecting and protecting a virtual server against network DoS attacks with a DoS profile
DoS profile attack types
You can specify specific threshold, rate increase, rate limit, and other parameters for supported network DoS attack types, to more accurately detect, track, and rate limit attacks.
DoS Category | Attack Name | Dos Vector Name | Information | Hardware accelerated |
---|---|---|---|---|
+ | TTL <= <tunable> | ttl-leq-one | An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. | Yes |
+ | IP Option Frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options | Yes |
+ | IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. | Yes |
+ | IPv6 hop count <= <tunable> | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. | Yes |
+ | IPv6 Extended Header Frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames | Yes |
+ | Too Many Extended Headers | too-many-ext-hdrs | For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. | Yes |
+ | Option Present With Illegal Length | opt-present-with-illegal-len | Option present with illegal length | Yes |
+ | TCP Bad URG | tcp-bad-urg | Packet contains a bad URG flag, this is likely malicious | Yes |
+ | TCP Option Overruns TCP Header | tcp-opt-overruns-tcp-hdr | The TCP option bits overrun the TCP header. | Yes |
+ | Unknown TCP Option Type | unk-tcp-opt-type | Unknown TCP option type | Yes |
+ | ICMPv4 Flood | icmpv4-flood | Flood with ICMP v4 packets | Yes |
+ | ICMPv6 Flood | icmpv6-flood | Flood with ICMP v6 packets | Yes |
+ | IP Fragment Flood | ip-frag-flood | Fragmented packet flood with IPv4 | Yes |
+ | IPv6 Fragment Flood | ipv6-frag-flood | Fragmented packet flood with IPv6 | No |
+ | TCP RST Flood | tcp-rst-flood | TCP RST flood | Yes |
+ | TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK flood | Yes |
+ | TCP SYN Flood | tcp-syn-flood | TCP SYN flood | Yes |
+ | TCP Window Size | tcp-window-size | The TCP window size in packets exceeds the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. | Yes |
+ | TCP SYN Oversize | tcp-syn-oversize | Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value . The default size is 64 and the maximum allowable value is 9216. | Yes |
+ | UDP Flood | udp-flood | UDP flood attack | Yes |
+ | ICMP Fragment | icmp-frag | ICMP fragment flood | Yes |
+ | Sweep | sweep | Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. You can also configure automatic blacklisting for IPs that initiate sweep attacks, using the IP intelligence mechanism. | No |
+ | Host Unreachable | host-unreachable | Host unreachable error | Yes |
+ | TIDCMP | tidcmp | ICMP source quench attack | Yes |