Applies To:
Show VersionsBIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Using Shun with Layer 7 DoS
Overview: Using Shun with Layer 7 DoS
Layer 7 DoS in Application Security Manager™ (ASM) is set up to automatically add IP addresses to a shun list (also called auto-blacklisting). The BIG-IP® system stops traffic that is thought to be causing a DoS attack, by adding it to a shun list for a limited time. L7 DoS maintains the shun list and auto-blacklisting works at Layer 7 when you configure an L7 DoS profile and attach it to a virtual server.
- You configure an L7 DoS profile and an IP intelligence policy, and then associate both with a virtual server, and
- You are using mitigations other than device ID or URL in the DoS profile.
The DoS profile you create should include all of the DoS mitigations you want to use for the application. For example, you could enable these protections:
- Proactive Bot Defense with CAPTCHA challenge
- Stress-based Detection with Request Blocking and Rate Limiting
- Heavy URL Protection set to automatic detection
Source IP addresses that are thought to be causing a DoS attack based on the mitigations you configured fall into the category of application denial of service blacklist, for which the IP intelligence policy is configured to drop. Together, and using fewer resources, the DoS profile and IP intelligence policy protect the web application from DoS attacks.
Task Summary
About the DoS shun list
A shun list is a temporary list of IP addresses that have been sending lots of traffic that is failing 90%, or more, of the time. The failures occur as a result of any of the mitigation methods in use, including CAPTCHA, request blocking, client-side integrity defense, bot defense, and so on. The system creates a shun list of clients that repeatedly fail to respond to DoS JavaScript challenges, undergo high block ratios in rate limiting, or have been repeatedly handled by any of the other DoS mitigations. While these clients are on the shun list, all traffic they send is blocked.
Shun list features are set up using system variables. By default, the shun list is enabled, and clients remain on the list and are blocked for 120 seconds. The default value for the minimum ratio of successful responses to JavaScript challenges is 10% (to keep clients off the shun list). The minimum requests per second from a Clients being considered for the shun list must be sending a minimum of 10 requests per second. Advanced users can change the default values, if necessary, by adjusting the system variables from the command line.
Shun List system variables
The shun list is set up using system variables from the command line. These system variables are automatically set to reasonable values by default. Do not change these variables unless you are an advanced BIG-IP® system user.
Variable | Default Value | What It Specifies |
---|---|---|
dosl7d.shun_list | enable | Whether to use the shun list to block IP addresses. |
dosl7d.min_challenge_success_ratio | 10% | The minimum percentage of good transactions per IP address (or else the system adds it to the shun list). |
dosl7d.min_challenge_rps | 10 | The minimum requests per second before the system can apply shun mitigation. |
dosl7d.shun_prevention_time | 120 | The time in seconds (from 1-1000) to keep the IP address on the shun list. |
(tmos)# modify sys db dosl7d.shun_list value disable
Configuring DoS protection for applications
Using an IP Intelligence policy with L7 DoS
Associating a DoS profile and IP intelligence policy with a virtual server
Viewing DoS transaction outcomes
Sample DoS shun block report
This figure shows a sample Transaction Outcomes report for a system on which there have been DoS attacks. Most of the attacks have been blocked because the IP addresses are on the shun list. This chart shows aggregated data and is updated every 5 minutes.
Sample DoS report with shun blocked traffic
To view current DoS statistics that are updated every 30 seconds, click Open Real-Time Charts.
Sample DoS report with shun blocked traffic
This figure shows a real-time chart with current DoS statistics that is updated every 30 seconds. Traffic that does not constitute a DoS attack is described as Passthrough. Some DoS attacks being mitigated using rate limiting and request blocking and are shown as DoS Blocked, others are on the shun list (requests from that IP address fail over 90% of the time), or did not respond to a JavaScript challenge (CS Integrity Mitigation).
Sample real-time DoS report
Result of using shun list with Layer 7 DoS
Now you have associated both a DoS profile and an IP intelligence policy with the virtual server representing the application. Here's a general idea of what happens next:
- A client is sending lots of traffic from one IP address to the web application.
- Layer 7 DoS first inspects the traffic even before it gets to Application Security Manager™.
- If the client is blocked more than 90% of the time and it is sending at least 10 requests per second, the client IP address is put on the shun list.
- Traffic from the IP address on the shun list is blocked at the IP level (Layer 3) for two minutes.
- After that, the IP address is removed from the shun list.
- Traffic from the IP address is allowed through to L7 DoS where it is inspected according to the protections in the DoS profile.
- If the traffic is successful more than 10% of the time, it is allowed and handled by L7 DoS. Otherwise, that IP address is added back onto the shun list.
If DoS mitigation is performed by URL or device ID, the IP addresses are not shunned at the IP level, but are shunned at Layer 7.