Applies To:
Show VersionsBIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Configuring DoS Policy Switching
About DoS protection and local traffic policies
To provide additional flexibility for configuring DoS protection, you can use local traffic policies together with DoS protection. The advantage of creating local traffic policies is that you can apply multiple DoS protection policies to different types of traffic, using distinct DoS profiles. However, you need to be aware of certain considerations when using this method.
Local traffic policies can include multiple rules. Each rule consists of a condition and a set of actions to be performed if the respective condition holds. So you can create a local traffic policy that controls Layer 7 DoS protection and includes multiple rules. If you do, every rule must include one of the following Layer 7 DoS actions:
- Enable DoS protection using the default DoS profile (/Common/dos)
- Enable DoS protection from a specific DoS profile
- Disable DoS protection
A default rule is required because the local traffic policy action applies not only to the request that matched the condition, but also to the following requests in the same TCP connection, even if they do not match the condition that triggered the action unless subsequent requests on the same connection match a different rule with a different L7 DoS action.
This requirement ensures that every request will match some rule (even the default one), and will trigger a reasonable Layer 7 DoS action. This way a request will not automatically enforce the action of the previous request on the same connection, which can yield unexpected results.
A typical action for the default rule in case of Layer 7 DoS is to create a rule with no condition and simply enable DoS protection. In this case, the action the rule takes is to use the DoS policy attached to the virtual server. In the example of configuring DoS policy switching, the third rule, others, is the default rule.
Overview: Configuring DoS policy switching
You can configure the BIG-IP® system to protect against Layer 7 DoS attacks applying unique profiles in different situations, or on different types of traffic.
This implementation provides an example where you configure DoS protection for Layer 7 by creating two DoS profiles with Application Security enabled. You then associate the default DoS profile with a virtual server representing the application that you want to protect. You also create a local traffic policy with rules that assign different DoS protections depending on the traffic. Then you associate the local traffic policy with the virtual server.
This example divides traffic into three categories:
- Employees: A unique DoS profile, assigned to employees, reports DoS attacks but does not drop connections when there is an attack.
- Internal users: No DoS protection is applied to internal users.
- Others: The strictest DoS protection is applied using the default DoS profile for all other users; the system blocks DoS attacks that occur on other traffic.
Many other options are available for configuring DoS policy switching. This is simply one way to illustrate how you can configure multiple DoS protections using a local traffic policy to determine different conditions and actions. By following the steps in this example, you can see the other options that are available on the screens, and can adjust the example for your needs.
Task Summary
Creating a DoS profile for Layer 7 traffic
Modifying the default DoS profile
Creating a local traffic policy for DoS policy switching
Creating policy rules for DoS policy switching
Associating a DoS profile with a virtual server
Associating a local traffic policy with a virtual server
Implementation results
When you have completed the steps in this implementation, you have configured the Application Security Manager™ to protect against Layer 7 DoS attacks. By using a local traffic policy, you distinguished between three types of traffic: employees, internal users, and others.
The first rule in the local traffic policy identifies employees by the last line of the host header in the request, which says employee.my_host.com. You created a special DoS profile for employees that reports transaction-based DoS attacks but does not drop connections.
The second rule in the local traffic policy identifies internal users by the last line of the host header in the request, which says internal.my_host.com. In the policy, you specified that there should be no DoS protection for internal users.
A third rule acts as the default rule and applies to any traffic that was not identified by the first two rules. All other traffic uses the default DoS profile (dos) assigned on the Security tab of the virtual server where traffic is directed to the application. You modified the default DoS profile to block transaction-based and server latency-based DoS attacks that the system detects.
After creating the local traffic policy with Layer 7 DoS rules, you also associated it with the virtual server. Different types of traffic directed to the virtual server now has distinct DoS protections assigned to it.