Manual Chapter : Managing DoS Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.1.0
Manual Chapter

About DoS profiles

A denial-of-service attack (DoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.

Using BIG-IQ® Shared Security, you can configure profiles to help prevent network, SIP, and DNS DoS and DDoS attacks and to detect and protect against DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic).

HTTP-GET attacks and page flood attacks are typical examples of application DoS attacks. These attacks are initiated either from a single user (single IP address) or from thousands of computers (distributed DoS attack), which overwhelms the target system. In page flood attacks, the attacker downloads all the resources on the page (images, scripts, and so on) while an HTTP-GET flood repeatedly requests specific URLs regardless of their place in the application.

DoS attack detection and prevention:

  • Detects and automatically drops packets that are malformed or contain errors.
  • Logs unusual increases in packets of any type, including packets that are malformed, packets that contain errors, or packets of any other type that appear to rapidly increase.

Creating DoS profiles

You can create a DoS profile and configure the circumstances under which the system considers traffic to be a DoS attack and how the system handles a DoS attack.
  1. Click DoS Profiles.
  2. In the DoS Profiles screen, click Create.
  3. In the DoS Profiles - New Item screen, add and set the properties as appropriate.
    Property Description
    Name Required. Specify a unique name for the DoS profile.
    Description Specify an optional description for the DoS profile.
    Partition Required. Specify the partition to which the DoS profile belongs. Although this field is pre-populated with Common (default), you can set the partition when creating DoS profiles by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
  4. Select the check box to the right of one or more protection types. When you select a protection type, the system adds a tab dynamically. For example, when you select Application Security, the system adds a tab with that label.
    Option Description
    Application Security When enabled, protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature.

    Click the Application Security tab to configure the protection type. Supply or modify any necessary property values. For configuration setting details, consult the relevant following section.

    Protocol DNS When enabled, protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature.

    Click the Protocol DNS tab to configure the protection type. Supply or modify any necessary property values. For configuration setting details, consult the relevant following section.

    Protocol SIP When enabled, protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.

    Click the Protocol SIP tab to configure the protection type.For configuration setting details, consult the relevant following section.

    Network When enabled, protects your server against network DoS attacks.

    Click the Network tab to configure the protection type. Supply or modify any necessary property values. For configuration setting details, consult the relevant following section.

  5. When finished, click Save to save the DoS profile, or click Save & Close to save the DoS profile and return to the DoS Profiles screen.
The new DoS profile is added to the list of profiles.

Configuring for Application Security

You can configure the conditions under which the system determines your application is under a DoS attack, and how the system reacts to a suspected attack. Your virtual server must include an HTTP profile to use this feature.
  1. In Shared Security, click DoS Profiles.
  2. In the DoS Profiles screen, click the profile name to configure.
  3. On the Properties tab, select the check box to enable Application Security.
  4. Select the Application Security tab.
  5. Specify the settings as described for each tab. The system saves settings as you enter them.
    Tab Description of Settings
    General Settings tab
    • Trigger iRule. Enable this setting if you have an iRule that manages DoS events in a customized manner. When enabled, specifies that the system activates an Application DoS iRule event. Enable this setting if you write an iRule that tells the system how to manage after a DoS attack. The default is disabled.
    • IP Whitelist. Specifies IP addresses, including subnet masks, that the system considers legitimate and does not examine when performing DoS prevention. Note that after you add an IP address to this whitelist, the system automatically adds this IP address to all Anomaly Detection whitelists, and to the IP Address Exceptions list on the BIG-IP device.

      To add an IP address to the whitelist, type an IP address in the text box and click Add.

    • Geolocation Whitelist. Overrides the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow traffic during a DoS attack. To add countries to the whitelist, select from the Country list and click Add.
    • Geolocation Blacklist. Overrides the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to block traffic during a DoS attack. To add countries to the blacklist, select from the Country list and click Add.
    Proactive Bot Defense tab
    • Operation Mode. Specifies the conditions under which the system detects and blocks bots. Select Off, During Attacks or Always. If Off is selected, no other settings are displayed on this tab.
    • Block requests from suspicious browsers. Strengthens the bot defense by blocking suspicious browsers. The system completely blocks highly suspicious browsers; it challenges with CAPTCHA moderately suspicious browsers.
    • Grace Period. Gives time for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated.
    • Cross-Domain Requests. You can add additional security by allowing only configured domains to reference resources of the site. From the list, select one of the options. Domains can also be configured after selecting one of the Cross-Domain Requests options.
    • URL Whitelist. Specifies excluded URLs. Proactive Bot Defense will not block requests to these URLs, although requests may still be blocked by the TPS-based / Stress-based attack mitigation. To add URLs to the whitelist, type a URL in the text box, and click Add.
    Bot Signatures tab
    • Bot Signature Check. Select Enabled or Disabled.

      You cannot disable the Bot Signature Check property while Proactive Bot Defense is enabled. To disable the Bot Signature Check property, you must disable Proactive Bot Defense .

    • Bot Signature Categories. There are two category lists that are handled similarly: Malicious Categories and Benign Categories.

      For either category, select None, Report or Block. The selected setting is then applied to all the listed categories. The categories can also be individually changed to another value. If you change them individually, the value for the Malicious Categories or Benign Categories changes to Custom Configuration. A user cannot set all categories to None and keep Proactive Bot Defense enabled.

    • Bot Signatures List. Specifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between the Available Signatures and the Disabled Signatures lists.
    TPS Based Detection tab In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage you configure on this tab (the TPS increased by percentage), the system detects that the URL/site is under attack, or the IP address/geolocation is attacking. To stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
    • Operation Mode. Specifies how the system reacts when it detects an attack.
    • Source IP-based. Specifies the criteria that determine when the system treats the IP address as an attacker. If the system reaches these thresholds, it prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
    • Geolocation-based. Specifies that if both criteria are met, the system treats the country as an attacker. If the system reaches these values, it prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page. The settings exclude blacklisted and whitelisted geolocations.
    • URL-based. Specifies the criteria that determine when the system determines that a URL is under attack. If requests for URLs meet either of the conditions in these settings, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
    • Site-wide. Specifies the criteria that determine when the system determines an entire website is under attack. The system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
    • Prevention Duration. Specifies the time spent in each mitigation step before moving to the next mitigation step.
    Stress Based Detection tab In this tab, configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed, or the system found a behavioral anomaly.
    • Operation Mode. Specifies how the system reacts when it detects an attack.
    • Source IP-based. Specifies the criteria under which the system treats the IP address as suspicious (suspects the IP address is an attacker). If the system detects an attack according to the detection criteria, IP rate limiting will be done on the suspicious IP addresses. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers an IP as an attacking entity if either conditions occurs.
    • Geolocation-based. Specifies the conditions under which the system considers requests from a country as suspicious. The system performs mitigation methods on traffic from suspicious countries if at least one By Geolocation mitigation method is enabled and both conditions are met. The settings exclude blacklisted and whitelisted geolocations.
    • URL-based. Specifies the criteria that determine when the system suspects the URL to be attacked. If an attack is detected according to the detection criteria, URL rate limiting will be done on the suspicious URLs. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers a URL as an attacked entity if either condition occurs.
    • Site-wide. Specifies the conditions under which the entire site is considered suspicious and provides mitigation options.
    • Prevention Duration. Specifies the time spent in each mitigation step before moving to the next mitigation step.
    Heavy URL Protection tab
    • Heavy URL Protection. Select Enabled to protect heavy URLs during DoS attacks.
    • Automatic Detection. Select Enabled to automatically detect heavy URLs of the application, in addition to the URLs entered manually.
    • Latency Threshold. If Automatic Detection is enabled, set the Latency Threshold field to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is 1000 milliseconds. Click Set default threshold to reset the value to 1000.
    • Heavy URLs. Enables you to configure a list of heavy URLs to protect in addition to the automatically detected ones.

      Type a URL in the text box, and click Add.

    • Ignored URLs. Enables you to configure a list of URLs which are excluded from automatic detection as heavy URLs. The system supports wildcards.

      Type a URL in the text box, and click Add.

    Record Traffic tab This tab enables the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    • Record Traffic During Attacks. The system records traffic during DoS attacks on the virtual server in which it detected the attack. You can collect the TCP dump files into the QuickView file so that F5 support can use it for solving customer cases. The files have a pcap extension and are located in the following path on the BIG-IP device:

      /shared/dosl7/tcpdumps

      The default is disabled. Note that the system records SSL traffic encrypted.

      Select Enabled to specify that the system record traffic when a DoS attack is underway.

    • Maximum TCP Dump Duration. Displays the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.
    • Maximum TCP Dump Size. Displays the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.
    • TCP Dump Repetition. Specifies whether the system performs one dump or multiple dumps for each DoS attack.
The settings are incorporated into the profile.

Configuring for Protocol DNS

You can use this tab to configure the conditions under which the system determines that your DNS server is under a DoS attack.
  1. In Shared Security, click DoS Profiles.
  2. In the DoS Profiles screen, click the profile you want to configure.
  3. On the Properties tab, be sure the check box for Protocol DNS is selected.
  4. Select the Protocol DNS tab.
  5. To enable Protocol Errors Attack Detection, select Enabled from the list.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    Setting Description
    Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. By default, the system calculates this number every hour and updates it every minute. The default is 500 percent.
    Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default is 250,000 packets per second.
    Rate Limit Specifies the limit in packets per second. The default is 2,500,000 packets per second.
    DNS Query Attack Detection The screen lists commonly known DNS query types that you want the system to detect in packets. To enable individually, select the Enabled check box to the right of the query type (and under Detection Status). Then, specify threshold, rate increase, and rate limit for the particular query type.
The settings are incorporated into the profile.

Configuring for Protocol SIP

You can use this tab to configure the conditions under which the system determines that your server, running the SIP protocol, is under a DoS attack.
  1. In Shared Security, click DoS Profiles.
  2. In the DoS Profiles screen, click the profile you want to configure.
  3. On the Properties tab, be sure the check box for Protocol SIP is selected.
  4. Select the Protocol SIP tab.
  5. To enable Protocol Errors Attack Detection, select Enabled from the list.
    When enabled, the system detects SIP attacks based on a high volume of protocol errors, and displays both how many packets with errors per second are allowed before the system tracks SIP traffic anomalies, and in percentage, how much of an increase in SIP traffic with errors is legal before the system tracks SIP traffic anomalies.
    Specify the following settings as necessary for your configuration. The system saves settings as you enter them.
    Setting Description
    Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
    Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
    Rate Limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
    SIP Method Attack Detection The table identifies commonly-known SIP method types that you want the system to detect in packets. Enable a method type by selecting the Enabled check box under Detection Status. Then, specify threshold, rate increase, and rate limit for the particular method type.
The settings are incorporated into the profile.

Configuring for Network Security

In this tab, you can configure the conditions under which the system determines that your server is under a network DoS attack.
  1. In Shared Security, click DoS Profiles.
  2. In the DoS Profiles screen, click the profile you want to configure.
  3. On the Properties tab, be sure the check box to enable Network is selected.
  4. Select the Network tab.
  5. Attack types appear along with adjustable settings for thresholds, rate increases, and rate limits for each attack type you enable. Specify the settings as necessary for your configuration.
    Setting Description
    Attack Types Enable each attack type by selecting the Enabled check box to the right of the attack type (and in the Detection Status column). Then, specify settings for thresholds, rate increases, and rate limits.
    Threshold Specifies the number of packets per second, averaged over the previous minute, that must be exceeded to indicate that there is an attack underway. The default setting is 1000 packets per second.
    Rate Increase If the rate of requests increases greater than the number specified here, the system considers the traffic to be an attack. By default, the system calculates this number every hour and updates it every minute. The default setting is 500 percent.
    Rate Limit Specifies the absolute limit of such packets allowed per second.
The settings are incorporated into the profile.

Editing DoS profiles

You can edit DoS profiles to fine tune the circumstances under which the system considers traffic to be a DoS attack and how the system handles a DoS attack.
  1. Click DoS Profiles.
  2. In the DoS Profiles screen, click the name of the profile to modify. The profile is locked for editing.
    For details, consult the sections in this guide:
    • Configuring for Application Security
    • Configuring for Protocol DNS
    • Configuring for Protocol SIP
    • Configuring for Network Security
  3. Perform edits as needed for your configuration. The system saves edits as you make them.
Changes to the DoS profile are saved.