A shun list is a temporary list of IP addresses that have been sending lots of traffic that is failing 90%, or more, of the time. The failures occur as a result of any of the mitigation methods in use in the DoS profile, including CAPTCHA, request blocking, client-side integrity defense, proactive bot defense, and so on. The system creates a shun list of clients that repeatedly fail to respond to DoS JavaScript challenges, undergo high block ratios in rate limiting, or have been repeatedly handled by any of the other DoS mitigations. While these clients are on the shun list, all traffic they send is blocked.

Shun list features are set up using system variables. By default, the shun list is enabled, and clients remain on the list and are blocked for 120 seconds. The default value for the minimum ratio of successful responses to JavaScript challenges is 10% (to keep clients off the shun list). A client being considered for the shun list must be sending a minimum of 10 requests per second. Advanced users can change the default values, if necessary, by adjusting the system variables from the command line.

The shun list is automatically managed with predefined conditions and thresholds set using system variables. These system variables are set to reasonable values by default. Do not change these variables unless you are an advanced BIG-IP^® system user.

 (tmos)# modify sys db dosl7d.shun_list value disable

1. On the Main tab, click Security > DoS Protection > DoS Profiles .
   The DoS Profiles list screen opens.
2. Click Create.
   The Create New DoS Profile screen opens.
3. In the Name field, type the name for the profile, then click Finished.
4. In the list of DoS profiles, click the name of the profile you just created, and click the Application Security tab.
   This is where you set up application-level DoS protection.
5. In the General Settings, for Application Security, click Edit and select the Enabled check box.
   General settings that you can configure are displayed.
6. To configure Heavy URL Protection, edit the setting for which URLs to include or exclude, or use automatic detection.
   Another task describes heavy URL protection in more detail.
7. To set up DoS protection based on the country where a request originates, edit the Geolocations setting, selecting countries to allow or disallow.
   1. Click Edit.
   2. Move the countries for which you want the system to block traffic during a DoS attack into the Geolocation Blacklist.
   3. Move the countries that you want the system to allow (unless the requests have other problems) into the Geolocation Whitelist.
   4. Use the Stress-based or TPS-based Detection settings to select appropriate mitigations by geolocation in the How to detect attackers and which mitigation to use settings.
   5. When done, click Close.
8. If you have written an iRule to specify how the system handles a DoS attack and recovers afterwards, enable the Trigger iRule setting.
9. To better protect an applications consisting of one page that dynamically loads new content, enable Single Page Application.
10. If your application uses many URLs, in URL Patterns, you can create logical sets of similar URLs with the varying part of the URL acting like a parameter. Click Not Configured and type one or more URL patterns, for example, /product/*.php.
    The system then looks at the URL patterns that combine several URLs into one and can more easily recognize DoS attacks, for example, on URLs that might be less frequently accessed by aggregating the statistics from other similar URLs.
11. If you want to use performance acceleration, in Performance acceleration, select the TCP fastL4 profile to use as the fast-path for acceleration.
    The profiles listed are those created in Local Traffic > Profiles > Protocol > Fast L4 .
12. Click Update to save the DoS profile.

1. On the Main tab, click Security > Network Firewall > IP Intelligence > Policies .
   The IP Intelligence Policies screen opens.
2. Click Create to create a new IP Intelligence policy.
3. In the Name field, type a name for the IP intelligence profile, such as ip-intell-l7.
4. Leave the Default Action list set to Drop.
5. For Blacklist Matching Policy, specify the action for the application DoS category.
   1. For Blacklist Category, select application_denial_of_service.
      L7 DoS classifies bad IP addresses in the shun list as application_denial_of_service by default. Other categories are for use if you purchased an IPI subscription (or IP intelligence database). Refer to information on IP intelligence blocking.
   2. For Action, select Drop.
   3. For Log Blacklist Category Matches, select Yes.
   4. Click Add.
6. Click Finished.

1. On the Main tab, click Local Traffic > Virtual Servers .
   The Virtual Server List screen opens.
2. Click the virtual server that you want to have DoS protection and use the shun list.
3. On the menu bar, from the Security menu, choose Policies.
4. To specify the shun list action for Layer 7 DoS, from the IP Intelligence list, select Enabled, and then, from the Policy list, select the IP intelligence policy (for example, ip-intelligence) to associate with the virtual server.
   You can also apply one IP intelligence policy at the global level that applies to all virtual servers on the system ( Security > Network Firewall > IP Intelligence ).
5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
6. Click Update to save the changes.

Now you have associated both a DoS profile and an IP intelligence policy with the virtual server representing the application. Here's a general idea of what happens next:

• A client is sending lots of traffic from one IP address to the web application.
• Layer 7 DoS first inspects the traffic even before it gets to Application Security Manager™.
• If the client is blocked more than 90% of the time and it is sending at least 10 requests per second, the client IP address is put on the shun list.
• Traffic from the IP address on the shun list is blocked at the IP level (Layer 3) for two minutes.
• After that, the IP address is removed from the shun list.
• Traffic from the IP address is allowed through to L7 DoS where it is inspected according to the protections in the DoS profile.
• If the traffic is successful more than 10% of the time, it is allowed and handled by L7 DoS. Otherwise, that IP address is added back onto the shun list.

If DoS mitigation is performed by URL or device ID, the IP addresses are not shunned at the IP level, but are shunned at Layer 7.