Manual Chapter : Configuring DoS Policy Switching

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About DoS protection and local traffic policies

To provide additional flexibility for configuring DoS protection, you can use local traffic policies together with DoS protection. The advantage of creating local traffic policies is that you can apply multiple DoS protection policies to different types of traffic, using distinct DoS profiles. However, you need to be aware of certain considerations when using this method.

Local traffic policies can include multiple rules. Each rule consists of a condition and a set of actions to be performed if the respective condition holds. So you can create a local traffic policy that controls Layer 7 DoS protection and includes multiple rules. If you do, every rule must include one of the following Layer 7 DoS actions:

  • Enable DoS protection using the default DoS profile (/Common/dos)
  • Enable DoS protection from a specific DoS profile
  • Disable DoS protection
Important: Make sure that the local traffic policy with DoS protection includes a default rule with no condition that applies to traffic that does not match any other rule. In addition, be sure that each rule (including the default one), has an L7  DoS action in it, possibly in addition to other actions.

A default rule is required because the local traffic policy action applies not only to the request that matched the condition, but also to the following requests in the same TCP connection, even if they do not match the condition that triggered the action unless subsequent requests on the same connection match a different rule with a different L7 DoS action.

This requirement ensures that every request will match some rule (even the default one), and will trigger a reasonable Layer 7 DoS action. This way a request will not automatically enforce the action of the previous request on the same connection, which can yield unexpected results.

A typical action for the default rule in case of Layer 7 DoS is to create a rule with no condition and simply enable DoS protection. In this case, the action the rule takes is to use the DoS policy attached to the virtual server. In the example of configuring DoS policy switching, the third rule, others, is the default rule.

Overview: Configuring DoS policy switching

You can configure the BIG-IP system to protect against Layer 7 DoS attacks applying unique profiles in different situations, or on different types of traffic.

This implementation provides an example where you configure DoS protection for Layer 7 by creating two DoS profiles with Application Security enabled. You then associate the default DoS profile with a virtual server representing the application that you want to protect. You also create a local traffic policy with rules that assign different DoS protections depending on the traffic. Then you associate the local traffic policy with the virtual server.

This example divides traffic into three categories:

  • Employees: A unique DoS profile, assigned to employees, reports DoS attacks but does not drop connections when there is an attack.
  • Internal users: No DoS protection is applied to internal users.
  • Others: The strictest DoS protection is applied using the default DoS profile for all other users; the system blocks DoS attacks that occur on other traffic.

Many other options are available for configuring DoS policy switching. This is simply one way to illustrate how you can configure multiple DoS protections using a local traffic policy to determine different conditions and actions. By following the steps in this example, you can see the other options that are available on the screens, and can adjust the example for your needs.

Task Summary

Creating a DoS profile for Layer 7 traffic

To define the circumstances under which the system considers traffic to be a Denial of Service (DoS attack), you create a DoS profile. For the DoS policy switching example, you can create a special DoS profile, for employees, that does not block traffic. It only reports the DoS attack.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles. The DoS Profiles list screen opens.
  2. Click Create. The Create New DoS Profile screen opens.
  3. In the Profile Name field, typeemployee_l7dos_profile for the profile name in this example.
  4. Select the Application Security check box. The screen refreshes and displays additional configuration settings.
  5. In the TPS-based Anomaly area, for Operation Mode, select Transparent. When the system detects a DoS attack, it displays the attack data on the Reporting DoS Attacks screen.
  6. Use the default values for the other settings.
  7. Click Finished to save the DoS profile.
You have now created a simple DoS profile to report DoS attacks based on transaction rates using TPS-based DoS protection.

Modifying the default DoS profile

The BIG-IP system includes a default DoS profile that you can modify to specify when to use DoS protection. For the DoS policy switching example, you can modify the default DoS profile and use it for people other than employees or internal users who are accessing applications. This example creates a strict default DoS profile that drops requests considered to be an attack.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles. The DoS Profiles list screen opens.
  2. Click the profile called dos. The DoS Profile Properties screen opens.
  3. Select the Application Security check box. The screen refreshes and displays additional configuration settings.
  4. In the TPS-based Anomaly area, for Operation Mode, select Blocking.
  5. In the Latency-based Anomaly area, for Operation Mode, select Blocking.
  6. Use the default values for the other settings.
  7. Click Finished to save the DoS profile.
You have now modified the default DoS profile that will be used for people other than employees or internal users. For these users, the system drops connections from attacking IP addresses, and for requests directed to attacked URLs.

Creating a local traffic policy for DoS policy switching

You can create a local traffic policy to impose different levels of DoS protection on distinct types of Layer 7 traffic.
  1. On the Main tab, click Local Traffic > Policies.
  2. Click Create. The New Policy screen opens.
  3. In the Name field, type a name for the local traffic policy.
  4. From the Strategy list, select first-match.
  5. In the Requires setting, move http from the Available to the Selected list.
  6. In the Controls setting, move l7dos from the Available to the Selected list.
  7. Click Finished to save the local traffic policy.
You have now created a local traffic policy that controls Layer 7 DoS.
Next, you need to add rules to the local traffic policy to specify the DoS protection that should occur for different types of Layer 7 traffic.

Creating policy rules for DoS policy switching

You can add rules to define conditions and perform specific actions for different types of Layer 7 traffic. This example creates three rules to implement different DoS protection for employees, for internal personnel, and for others.
  1. On the Main tab, click Local Traffic > Policies.
  2. Click the name of the local traffic policy that controls Layer 7 DoS.
  3. In the Rules area, click Add to create a rule that defines DoS protection for employees.
  4. In the Rule Name field, type the name employees.
  5. In the Actions setting, define DoS protection to apply to employees: specify the following values, and use the default values for the rest.
    1. From the Target list, select l7dos. Event is set to request, Action is set to enable, and from_profile is set to the default DoS profile, /Common/dos.
    2. To specify a unique DoS profile for employees, from the Parameters list, select from_profile; then select employee_l7dos_profile (or a previously created custom DoS profile), then click the adjacent Add button to add the value for the action.
    3. Above the list of actions, click Add to add the action to the list.
  6. Click Finished to add the rule to the local traffic policy.
  7. On the Policy List screen, click the name of the policy that you are working on for Layer 7 DoS.
  8. In the Rules area, click Add to create a second rule, and call it internal.
  9. In the Conditions setting, define how to handle the internal traffic: specify the following values, and use the default values for the rest.
    1. From the Operand list, select http-host.
    2. From the Condition list, select ends_with.
    3. In the Values field, type internal.my_host.com and click Add to add the value for the condition.
    4. To add the condition, click Add.
  10. In the Actions setting, disable DoS protection for internal traffic: specify the following values and use the default values for the rest.
    1. From the Target list, select l7dos.
    2. For Action, select disable.
    3. Click Add to add the action to the list.
  11. Click Finished to add the rule to the local traffic policy.
  12. On the Policy List screen, click the name of the policy that you are working on for Layer 7 DoS.
  13. Click Add to create a third rule, and call it others.
  14. In the Conditions setting, define how to handle all other traffic for when the first two rules do not apply: use the default values and apply no condition. The Operand list is set to http-basic-auth, Event is set to request*, and Selector is set to username. No special conditions are listed. This last rule is the default rule, which applies if the other two rules do not apply. If you do not include a rule like this and traffic does not match any other rule, the previous rule that was applied is used again.
  15. In the Actions setting, define the DoS protection to apply to all others: specify the following values, and use the default values for the rest.
    1. From the Target list, select l7dos. Event is set to request, Action is set to enable, and from_profile is set to the default DoS profile, /Common/dos.
    2. Above the list of actions, click Add to add the action to the list.
  16. Click Finished to add the rule to the local traffic policy.
  17. Click Update to save the local traffic policy with the rules.
You have now created a local traffic policy that defines DoS protection for employees, for internal traffic, and for others.
Next, you need to associate the default DoS profile and the local traffic policy with the virtual server that connects to the application server you are protecting.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol.
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  4. From the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Associating a local traffic policy with a virtual server

After you create a local traffic policy, you associate that policy with the virtual server created to handle application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Resources.
  4. In the Policies area, click the Manage button.
  5. For the Policies setting, from the Available list, select the local traffic policy you previously created, and move it to the Enabled list.
  6. Click Finished.

Implementation results

When you have completed the steps in this implementation, you have configured the Application Security Manager to protect against Layer 7 DoS attacks. By using a local traffic policy, you distinguished between three types of traffic: employees, internal users, and others.

The first rule in the local traffic policy identifies employees by the last line of the host header in the request, which says employee.my_host.com. You created a special DoS profile for employees that reports transaction-based DoS attacks but does not drop connections.

The second rule in the local traffic policy identifies internal users by the last line of the host header in the request, which says internal.my_host.com. In the policy, you specified that there should be no DoS protection for internal users.

A third rule acts as the default rule and applies to any traffic that was not identified by the first two rules. All other traffic uses the default DoS profile (dos) assigned on the Security tab of the virtual server where traffic is directed to the application. You modified the default DoS profile to block transaction-based and server latency-based DoS attacks that the system detects.

After creating the local traffic policy with Layer 7 DoS rules, you also associated it with the virtual server. Different types of traffic directed to the virtual server now has distinct DoS protections assigned to it.