Manual Chapter : Detecting Dynamic DoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About detecting dynamic DoS attacks

A dynamic DoS attack is a DoS attack that doesn't fit predefined DoS vector criteria. Using dynamic DoS attack detection, such attacks can be detected and mitigated automatically by AFM. Dynamic DoS detection creates vector signatures for attacks based on changing traffic patterns over time. When an attack is detected, a vector signature is created and added to a list of dynamic vectors. All packets are then checked against the dynamic vector, and mitigated according to internal logic. When packet processing on the system falls back to normal levels, the signature no longer appears as an attack, and is removed from the dynamic signature list.

Detection modes

The following modes are available for dynamic DoS detection.
Disabled
In this mode, no dynamic DoS detection occurs.
Learn-Only
In this mode, the system establishes a baseline for packet processing on AFM. Learn-Only mode detects traffic patterns, establishes a baseline, and detects anomalies, but does not generate logs or dynamic DoS vector signatures. Attacks are not mitigated in Learn-Only mode.
Enabled
In this mode, the system monitors traffic, compares traffic changes over time, and detects anomalies. Attacks are logged, dynamic DoS vector signatures are generated, packets are compared to the dynamic DoS vector signature, and attacks are mitigated. When an attack ceases, the dynamic DoS vector signature is removed from the list of signatures.

Mitigation Sensitivity

Mitigation sensitivity establishes how aggressively the system mitigates dynamic DoS attacks. You can set this to None, Low, Medium, or High. By default, mitigation sensitivity is set to None. Low sensitivity is the least aggressive, at the risk of allowing more attack packets through. High drops packets more aggressively, even when attack confidence is lower.

Redirection/Scrubbing

You can configure redirection and scrubbing to handle mitigation of dynamic DoS signatures with an IP Intelligence category. The following parameters can be configured for redirection and scrubbing.

Scrubbing Category
You can select an IP Intelligence category for IP addresses blocked by dynamic DoS signatures. By default, the IP intelligence category for scrubbed IP addresses is attacked_ips.
Scrubbing Advertisement Time
This is the duration for which a mitigated IP is advertised to the IP Intelligence mechanism for scrubbing. The default is 300 seconds.

Start Relearning

The Start Relearning option clears historical data, thresholds and signatures for the dynamic DoS detection system. The Dynamic DoS signature baseline is re-established. Relearning occurs for a period of 20 minutes.

Detecting global dynamic DoS attacks

You enable dynamic DoS signatures at the device level to dynamically detect and mitigate network DoS attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. Under Dynamic Signatures, from the Enforcement list, select Enabled.
  3. From the Mitigation Sensitivity list, select the sensitivity level for dropping packets.
    • Select None to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from Low to High. A setting of Low is least aggressive, but will also trigger fewer false positives. A setting of High is most aggressive, and the system may drop more false positive packets.
  4. To have dynamic signatures handled by an IP Intelligence category, from the Redirection/Scrubbing list, select Enabled.
  5. If you are using Redirection/Scrubbing to handle dynamic signatures, from the Scrubbing Category list, select the IP Intelligence category with which scrubbed packets are to be categorized.
  6. In the Scrubbing Advertisement Time field, specify the amount of time to advertise the scrubbed IP address to the IP Intelligence category.
  7. Click Update to save the device configuration.

Detecting dynamic DoS network attacks on a virtual server

You enable dynamic DoS signatures on a virtual server to detect dynamic DoS attacks at a more granular level than the global level.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click the name of an existing DoS profile (or create a new one).
    The DoS Profile Properties screen for that profile opens.
  3. To configure network security settings, click Network Security.
  4. Under Dynamic Signatures, from the Enforcement list, select Enabled.
  5. From the Mitigation Sensitivity list, select the sensitivity level for dropping packets.
    • Select None to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from Low to High. A setting of Low is least aggressive, but will also trigger fewer false positives. A setting of High is most aggressive, and the system may drop more false positive packets.
  6. To have dynamic signatures handled by an IP Intelligence category, from the Redirection/Scrubbing list, select Enabled.
  7. In the Scrubbing Advertisement Time field, specify the amount of time to advertise the scrubbed IP address to the IP Intelligence category.
  8. Click Update to save the DoS profile.
You have configured the DoS profile to detect dynamic DoS vectors and mitigate such attacks.
Next, you associate the DoS profile with a virtual server to enable network DoS protection.