Manual Chapter : Detecting and Preventing Network DoS Attacks on a Virtual Server

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About detecting and preventing Network DoS attacks on a virtual server

Network DoS protection is a type of security that collects several DoS checks in a DoS profile. Attack detection and prevention serves several functions:

  • To detect and report on packets based on behavior characteristics of the sender or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can configure the Network DoS Protection profile to detect possible attack vectors by packet-per-second or percentage-increase-over-time thresholds, which can indicate that a possible attack is in process. Such attacks can be logged and reported through system logging facilities. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.

You can specify an address list as a whitelist that the DoS checks allow. Whitelisted addresses are passed by the DoS profile, without being subject to the checks in the DoS profile.

Per-virtual server DoS protection requires that your virtual server includes a DoS profile that includes network security.

Task list

Detecting and protecting a virtual server against network DoS attacks with a DoS profile

The BIG-IP® system handles network attacks that use malformed packets and malicious attack vectors. Possible malicious packets and attacks are detected by logging when packets exceed a threshold of packets per second, and by detecting the rate increase percentage in packets of a certain type over time. You can configure settings to identify and rate limit possible network attacks with a DoS profile. For many vectors, you can also automatically blacklist IP addresses.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The New DoS Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. Click Finished.
    The DoS Protection: DoS Profiles screen opens.
  5. Click the name of the DoS profile you want to modify.
  6. Select the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  7. If you have created a whitelist on the system, in the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the list when the name appears.
  8. To define an address list to use as a whitelist, on the right side of the screen in the Shared Objects pane, click the + next to Address Lists.
    The Address List Properties pane opens.
  9. In the Contents field, type an address, and click Add. Repeat this step to add all items you want on the whitelist.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  10. Click Update.
  11. To configure network security settings, click Network Security.
  12. To change the threshold or rate increase for a particular network attack, in the Attack Type column, click the name of the attack.
    The DoS attack Properties pane appears on the right side of the screen.
  13. From the State list, choose the appropriate enforcement option.
    • Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  14. To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic.
    1. In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
  15. To configure DoS vector thresholds manually, for Threshold Mode, select Fully Manual.
    1. From the Detection Threshold EPS list, select Specify or Infinite.
      Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
      Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
    2. From the Detection Threshold Percent list, select Specify or Infinite.
      Use Specify to set a value (in percentage of traffic) for the attack detection threshold. Use Infinite to set no value for the threshold.
    3. From the Mitigation Threshold EPS list, select Specify or Infinite.
      Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
      Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  16. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  17. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  18. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  19. Select Simulate Auto Threshold to log the results of the current automatic thresholds, when enforcing manual thresholds.
  20. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  21. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  22. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  23. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  24. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  25. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  26. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  27. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  28. Click Update to save your changes. The DoS vector is updated on the Network Security screen.
You have now configured a DoS Protection profile to analyze network packet behavior for DoS attacks, to allow specific configured attacks to be identified in system logs and reports, and to allow rate limiting of such attacks. DNS queries on particular record types you have configured in the DNS Query Attack Detection area are detected as attacks at your specified thresholds and rate increases, and rate limited as specified.
Associate the DoS profile with a virtual server to enable network DoS protection.

DoS profile attack types

You can specify specific threshold, rate increase, rate limit, and other parameters for supported network DoS attack types, to more accurately detect, track, and rate limit attacks.

Attention: All hardware-supported vectors are performed in hardware on vCMP® guests, provided that the vCMP guests have the same software version as the vCMP host.
DoS Category Attack Name Dos Vector Name Information Hardware accelerated
+ TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
+ IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options Yes
+ IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
+ IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
+ IPv6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Yes
+ Too Many Extended Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
+ Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length Yes
+ TCP Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious Yes
+ TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header. Yes
+ Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type Yes
+ ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets Yes
+ ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets Yes
+ IP Fragment Flood ip-frag-flood Fragmented packet flood with IPv4 Yes
+ IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6 No
+ TCP RST Flood tcp-rst-flood TCP RST flood Yes
+ TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood Yes
+ TCP SYN Flood tcp-syn-flood TCP SYN flood Yes
+ TCP Window Size tcp-window-size The TCP window size in packets exceeds the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. Yes
+ TCP SYN Oversize tcp-syn-oversize Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value . The default size is 64 and the maximum allowable value is 9216. Yes
+ UDP Flood udp-flood UDP flood attack Yes
+ ICMP Fragment icmp-frag ICMP fragment flood Yes
+ Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. You can also configure automatic blacklisting for IPs that initiate sweep attacks, using the IP intelligence mechanism. No
+ Host Unreachable host-unreachable Host unreachable error Yes
+ TIDCMP tidcmp ICMP source quench attack Yes

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the virtual server requires an HTTP profile (such as the default http).
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, from the Security menu, choose Policies.
  4. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  5. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Allowing addresses to bypass DoS profile checks

You can specify whitelisted addresses that the DoS Profile does not subject to DoS checks. Whitelist entries are specified on a security address list, and can be configured directly on the DoS Profile screen.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click the name of the DoS profile you want to modify.
  3. If you have created a whitelist on the system, in the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the list when the name appears.
  4. To define an address list to use as a whitelist, on the right side of the screen in the Shared Objects pane, click the + next to Address Lists.
    The Address List Properties pane opens.
  5. Type a Name for the address list.
  6. In the Contents field, type an address, and click Add. Repeat this step to add all items you want on the whitelist.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  7. Click Update to create the address list.
    If this is a new address list, type and select the address list name in the Default Whitelist field.
  8. Click Update to update the DoS Profile.
You have now configured a whitelist of addresses to bypass DoS checks for a DoS profile.

Creating a custom Network Firewall Logging profile

Create a custom Logging profile to log messages about BIG-IP® system Network Firewall events.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Network Firewall check box.
  5. In the Network Firewall area, from the Publisher list, select the publisher the BIG-IP system uses to log Network Firewall events.
  6. Set an Aggregate Rate Limit to define a rate limit for all combined network firewall log messages per second.
    Beyond this rate limit, log messages are not logged.
  7. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the options.
    Option Description
    Option Enables or disables logging of packets that match ACL rules configured with:
    Accept action=Accept
    Drop action=Drop
    Reject action=Reject
    When an option is selected, you can configure a rate limit for log messages of that type.
  8. Select the Log IP Errors check box, to enable logging of IP error packets.
    When this setting is enabled, you can configure a rate limit for log messages of this type.
  9. Select the Log TCP Errors check box, to enable logging of TCP error packets.
    When this is enabled, you can configure a rate limit for log messages of this type.
  10. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions.
    When this is enabled, you can configure a rate limit for log messages of this type.
  11. Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for Network Firewall log events.
  12. Enable the Log Geolocation IP Address setting to specify that when a geolocation event causes a network firewall action, the associated IP address is logged.
  13. From the Storage Format list, select how the BIG-IP system formats the log.
    Option Description
    None Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  14. In the IP Intelligence area, from the Publisher list, select the publisher that the BIG-IP system uses to log source IP addresses, which are identified and configured for logging by an IP Intelligence policy.
    Note: The IP Address Intelligence feature must be enabled and licensed.
  15. Set an Aggregate Rate Limit to define a rate limit for all combined IP Intelligence log messages per second.
    Beyond this rate limit, log messages are not logged.
  16. Enable the Log Translation Fields setting to log both the original IP address and the NAT-translated IP address for IP Intelligence log events.
  17. In the Traffic Statistics area, from the Publisher list, select the publisher that the BIG-IP system uses to log traffic statistics.
  18. For the Log Timer Events setting, enable Active Flows to log the number of active flows each second.
  19. For the Log Timer Events setting, enable Reaped Flowsto log the number of reaped flows, or connections that are not established because of system resource usage levels.
  20. For the Log Timer Events setting, enable Missed Flows to log the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
  21. For the Log Timer Events setting, enable SYN Cookie (Per Session Challenge) to log the number of SYN cookie challenges generated each second.
  22. For the Log Timer Events setting, enable SYN Cookie (White-listed Clients) to log the number of SYN cookie clients whitelisted each second.
  23. Click Finished.
Assign this custom network firewall Logging profile to a virtual server.

Logging DoS events on a virtual server

Ensure that at least one log publisher exists on the BIG-IP® system.
Assign a custom logging profile to a virtual server when you want the system to log DoS protection events for the traffic the virtual server processes.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays policy settings for the virtual server.
  4. In the Log Profile setting, select Enabled. Then, select one or more profiles, and move them from the Available list to the Selected list.
  5. Click Update to save the changes.