Applies To:Show Versions
Overview: Using Shun with Layer 7 DoS
Layer 7 DoS in Application Security Manager™ (ASM) is set up to automatically add IP addresses to a shun list (also called auto-blacklisting). The BIG-IP® system stops traffic that is thought to be causing a DoS attack, by adding it to a shun list for a limited time. L7 DoS maintains the shun list and auto-blacklisting works at Layer 7 when you configure an L7 DoS profile and attach it to a virtual server.
- You configure an L7 DoS profile and an IP intelligence policy, and then associate both with a virtual server, and
- You are using mitigations other than device ID or URL in the DoS profile.
The DoS profile you create should include all of the DoS mitigations you want to use for the application. For example, you could enable these protections:
- Proactive Bot Defense with CAPTCHA challenge
- Stress-based Detection with Request Blocking and Rate Limiting
- Heavy URL Protection set to automatic detection
Source IP addresses that are thought to be causing a DoS attack based on the mitigations you configured fall into the category of application denial of service blacklist, for which the IP intelligence policy is configured to drop. Together, and using fewer resources, the DoS profile and IP intelligence policy protect the web application from DoS attacks.
About the DoS shun list
Shun List system variables
The shun list is automatically managed with predefined conditions and thresholds set using system variables. These system variables are set to reasonable values by default. Do not change these variables unless you are an advanced BIG-IP® system user.
|Variable||Default Value||What It Specifies|
|dosl7d.shun_list||enable||Whether to use the shun list to block IP addresses.|
|dosl7d.min_challenge_success_ratio||10%||The minimum percentage of good transactions per IP address (or else the system adds it to the shun list).|
|dosl7d.min_challenge_rps||10||The minimum requests per second before the system can apply shun mitigation.|
|dosl7d.shun_prevention_time||120||The time in seconds (from 1-1000) to keep the IP address on the shun list.|
(tmos)# modify sys db dosl7d.shun_list value disable
Configuring DoS protection for applications
On the Main tab, click
. The DoS Profiles list screen opens.
The Create New DoS Profile screen opens.
- In the Name field, type the name for the profile, then click Finished.
In the list of DoS profiles, click the name of the profile you just created,
and click the Application Security tab.
This is where you set up application-level DoS protection.
In the General Settings, for Application
Security, click Edit and select the
Enabled check box.
General settings that you can configure are displayed.
To configure Heavy URL Protection, edit the setting for
which URLs to include or exclude, or use automatic detection.
Another task describes heavy URL protection in more detail.
To set up DoS protection based on the country where a request originates, edit
the Geolocations setting, selecting countries to allow or
- Click Edit.
- Move the countries for which you want the system to block traffic during a DoS attack into the Geolocation Blacklist.
- Move the countries that you want the system to allow (unless the requests have other problems) into the Geolocation Whitelist.
- Use the Stress-based or TPS-based Detection settings to select appropriate mitigations by geolocation in the How to detect attackers and which mitigation to use settings.
- When done, click Close.
- If you have written an iRule to specify how the system handles a DoS attack and recovers afterwards, enable the Trigger iRule setting.
- To better protect an applications consisting of one page that dynamically loads new content, enable Single Page Application.
If your application uses many URLs, in URL Patterns, you
can create logical sets of similar URLs with the varying part of the URL acting
like a parameter. Click Not Configured and type one or
more URL patterns, for example, /product/*.php.
The system then looks at the URL patterns that combine several URLs into one and can more easily recognize DoS attacks, for example, on URLs that might be less frequently accessed by aggregating the statistics from other similar URLs.
- Click Update to save the DoS profile.
Using an IP Intelligence policy with L7 DoS
On the Main tab, click
.The IP Intelligence Policies screen opens.
- Click Create to create a new IP Intelligence policy.
- In the Name field, type a name for the IP intelligence profile, such as ip-intell-l7.
- Leave the Default Action list set to Drop.
For Blacklist Matching Policy, specify the action for
the application DoS category.
For Blacklist Category, select
L7 DoS classifies bad IP addresses in the shun list as application_denial_of_service by default. Other categories are for use if you purchased an IPI subscription (or IP intelligence database). Refer to information on IP intelligence blocking.
- For Action, select Drop.
- For Log Blacklist Category Matches, select Yes.
- Click Add.
- For Blacklist Category, select application_denial_of_service.
- Click Finished.
Associating a DoS profile and IP intelligence policy with a virtual server
On the Main tab, click
.The Virtual Server List screen opens.
- Click the virtual server that you want to have DoS protection and use the shun list.
- On the menu bar, from the Security menu, choose Policies.
To specify the shun list action for Layer 7 DoS, from the IP
Intelligence list, select Enabled, and then, from the
Policy list, select the IP intelligence policy (for example,
ip-intelligence) to associate with the virtual server.
You can also apply one IP intelligence policy at the global level that applies to all virtual servers on the system ().
- To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
- Click Update to save the changes.
Result of using shun list with Layer 7 DoS
Now you have associated both a DoS profile and an IP intelligence policy with the virtual server representing the application. Here's a general idea of what happens next:
- A client is sending lots of traffic from one IP address to the web application.
- Layer 7 DoS first inspects the traffic even before it gets to Application Security Manager™.
- If the client is blocked more than 90% of the time and it is sending at least 10 requests per second, the client IP address is put on the shun list.
- Traffic from the IP address on the shun list is blocked at the IP level (Layer 3) for two minutes.
- After that, the IP address is removed from the shun list.
- Traffic from the IP address is allowed through to L7 DoS where it is inspected according to the protections in the DoS profile.
- If the traffic is successful more than 10% of the time, it is allowed and handled by L7 DoS. Otherwise, that IP address is added back onto the shun list.
If DoS mitigation is performed by URL or device ID, the IP addresses are not shunned at the IP level, but are shunned at Layer 7.