- MyF5 Home
- Knowledge Centers
- BIG-IQ Centralized Management
- F5 BIG-IQ Centralized Management: Security
- Managing DoS Profiles in Shared Security
Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
About DoS profiles
A denial-of-service attack (DoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.
Using Shared Security, you can configure DoS profiles to help prevent network, SIP, and DNS DoS and DDoS attacks, and to detect and protect against DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic).
DoS profile considerations when deploying to BIG-IP device clusters
In some cases, deploying a configuration containing a DoS profile from BIG-IQ® Centralized Management to a BIG-IP® device cluster can cause the cluster to become unsynchronized. If that occurs, manually synchronize the BIG-IP device cluster. Then, reimport the BIG-IP system configuration to BIG-IQ Centralized Management, and select Use BIG-IP system as the operation to resolve any differences.
DoS profile considerations when managing multiple BIG-IP device versions
You use BIG-IQ Centralized Management to manage multiple BIG-IP devices which can have multiple versions. In most cases, this is handled seamlessly. However, in certain cases, objects differ significantly between BIG-IP device versions, and these objects require special handling when shared between BIG-IP device versions.
- Address lists in DoS profiles
DoS profiles that have address lists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later.
- Whitelists in DoS profiles
DoS profiles that have whitelists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later. In the BIG-IQ Centralized Management DoS Profile, you configure whitelists differently, based on the BIG-IP device version you are managing.
- To use a DoS profile to manage a BIG-IP device version 12.1 or earlier, select a whitelist value using the IP Address Whitelist setting on the DoS Profile Application Security Properties screen.
- To use a DoS profile to manage a BIG-IP device version 13.0 or later, select a whitelist value using the HTTP Whitelist setting on the DoS Profile Properties screen.
Do not select a value for both the HTTP Whitelist and the IP Address Whitelist settings in the same DoS profile.
Create DoS profiles
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
- In the DoS Profiles screen, click Create.
- In the New DoS Profile screen, add and set the properties as appropriate.
- In the Name setting, specify a unique name for the DoS profile.
- in the Description setting, specify an optional description for the DoS profile.
-
In the Partition setting, specify the partition to which
the DoS profile belongs. You can replace the default
Common partition when creating DoS profiles by typing
a unique name for a new partition.
The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
-
In the Threshold Sensitivity setting, specify the
threshold sensitivity for the DoS profile. Thresholds for detecting attacks are
higher when sensitivity is Low , and lower when
sensitivity is High.
This property is not used with the Application Security protection type.
-
In the Source IP Address Whitelist setting, specify the
configuration of the Source IP address white list.
This property is not used with the Application Security protection type.
-
In the HTTP Whitelist setting, specify the HTTP
whitelist to use.
This setting is applied only to BIG-IP devices version 13.0, or later.
-
Select a DoS protection type from the list on the left.
Option Description Application Security Click Application Security > Properties , then select the Application Securitycheck box, Enabled. When enabled, this protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature. Supply or modify any necessary property values.
Protocol DNS Click Protocol DNS, then select the Protocol DNS Protection check box, Enabled. When enabled, this protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature. Supply or modify any necessary property values.
Protocol SIP Click Protocol SIP, then select the Protocol SIP Protectioncheck box, Enabled. When enabled, this protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.
Network Click Network, then select the Network Protection check box, Enabled. When enabled, this protects your server against network DoS attacks. Supply or modify any necessary property values.
- When you are finished, save your work.
Configure for application security
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
- In the DoS Profiles screen, click the profile name to configure.
- On the left, click Application Security to expand the list.
-
Click Properties to display the General Settings screen
and configure the application security general
settings.
- In the Application Securitysetting, select Enabled to use application security protection and display additional properties.
-
In the IP Address Whitelist setting, specify the
IP addresses that the system considers legitimate and does not examine
when performing DoS prevention.
- To add an IP address to the whitelist, type it in the upper field, and click Add. The IP address is added to the whitelist in the lower field.
- To delete an IP address from the whitelist, select the IP address from the whitelist in the lower field, and click Remove.
-
In the Geolocations setting, specify that you
want to override the DoS profile's Geolocation Detection Criteria
threshold settings by selecting countries from which to allow or block
traffic during a DoS attack.
- To allow traffic from a country, select the country and move it to the Geolocation Whitelist.
- To block traffic from a country, select the country and move it to the Geolocation Blacklist.
- In the Trigger iRule setting, enable this setting if you have an iRule that manages DoS events in a customized manner.
- In the Single Page Application setting, enable this setting if your website is a single page application.
-
In the URL Patterns setting, Configure the URL
patterns to be used. Each URL pattern defines a set of URLs which are
logically the same URL with the varying part of the pattern acting as a
parameter, such as /product/*php
- To add the URL pattern to the list, type the URL pattern and click Add.
- To remove the URL pattern from the list, select the pattern from the URL Patterns list, and click Remove.
-
To use the Proactive Bot Defense screen to configure those settings, click
Proactive Bot Defense.
Property Description Operation Mode Specifies the conditions under which the system detects and blocks bots. Select Off, During Attacks, or Always. If Off is selected, no other settings are displayed on this tab. Block requests from suspicious browsers Strengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers. - Select the Block Suspicious Browsers check box to enable or disable blocking of suspicious browsers.
- Select the CAPTCHA Challenge check box to enable or disable issuing a challenge. Click CAPTCHA Response Settings to select the responses to use.
Grace Period Specifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or click Reset to Default to reset the value. Cross-Domain Requests You can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of the Cross-Domain Requests options. Related Site Domains Specifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clicking Add. Remove a domain by selecting it and clicking Remove. Related External Domains Specifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clicking Add. Remove a domain by selecting it in the text box and clicking Remove. URL Whitelist Specifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the whitelist by typing a URL in the text box and clicking Add. Remove a URL by selecting it and clicking Remove. -
To use the Bot Signatures screen to configure those settings, click
Bot Signatures.
Property Description Bot Signature Check Select Enabled to display settings. You cannot disable the Bot Signature Check property while Proactive Bot Detection, TPS-based Detection with By Device ID selected, or Stress-based Detection with By Device ID selected, is enabled. To disable the Bot Signature Check property, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disabling Bot Signature Check, you can disable categories of bot signatures individually. Malicious Categories and Benign Categories These two category lists are handled similarly. For either category, select None, Report, or Block. That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for the Malicious Categories or Benign Categories changes to Custom Configuration. A user cannot set all categories to None and keep Proactive Bot Defense enabled.
Disabled Bot Signatures Specifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between the Available Signatures list and the Disabled Signatures list. -
To configure settings for the detection of DoS attacks based on a high volume
of incoming traffic, click TPS-based Detection.
Property Description Operation Mode Specifies how the system reacts when it detects an attack, and can be Off, Transparent, or Blocking. If set to Off, no other properties are shown. Thresholds Mode Specifies how thresholds are configured. - To configure each mitigation behavior threshold manually, select Manual.
- To use the system default mitigation threshold settings, select Automatic.
By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address. By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device. By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations. By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the Click to configure link next to the option to do so. Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used. Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. -
To configure settings for the detection of DoS attacks based on server stress,
click Stress-based Detection.
Property Description Operation Mode Specifies how the system reacts when it detects a stress-based attack, and can be Off, Transparent or Blocking. If set to Off, no other properties are shown. Thresholds Mode Specifies how thresholds are configured. - To configure each mitigation behavior threshold manually, select Manual.
- To use the system default mitigation threshold settings, select Automatic.
By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address. By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device. By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations. By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the Click to configure link next to the option to do so. Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used. Behavioral Detection and Mitigation Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use. - For the Bad actors behavior detection setting, select Enabled to perform traffic behavior, server capacity learning, and anomaly detection.
- For the Request signatures detection setting, select Enabled to perform signature detection. Select Use approved signatures only to use only approved signatures.
- For the Mitigation setting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step. -
To configure settings for protecting heavy URLs during DoS attacks, click
Heavy URL Protection.
Heavy URLs are those which have a potential to cause stress on the server, even with a low TPS count.
Property Description Automatic Detection Select Enabled to automatically detect heavy URLs of the application, in addition to the URLs entered manually. Heavy URLs You can configure a list of heavy URLs to protect in addition to the automatically detected ones. Type a URL in the top field, and click Add. Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and click Remove Ignored URLs You can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and click Add. To remove a URL from the list, select the URL from the text box, and click Remove Latency Threshold If Automatic Detection is enabled, set the Latency Threshold setting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is 1000 milliseconds. Click Reset to default to reset the value to 1000. -
To define the responses to use when issuing a challenge, click
CAPTCHA Response Settings.
Note: The exact format of a response body differs depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
-
For the First Response Type, select
Default to use the default response, or
select Custom to create your own first response
body by entering it into the First Response Body
area.
Here is an example first response body:
This question is for testing whether you are a human visitor and to prevent automated spam submission. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
-
For the Failure Response Type, select
Default to use the default response or select
Custom to create your own failure response
body by entering it into the Failure Response
Body area.
Here is an example failure response body:
You have entered an invalid answer for the question. Please, try again. <br> %DOSL7.captcha.image% %DOSL7.captcha.change% <br> <b>What code is in the image?</b> %DOSL7.captcha.solution% <br> %DOSL7.captcha.submit% <br> <br> Your support ID is: %DOSL7.captcha.support_id%
-
For the First Response Type, select
Default to use the default response, or
select Custom to create your own first response
body by entering it into the First Response Body
area.
-
Click Record Traffic to configure settings for the
recording of traffic (by performing a TCP dump) when a DoS attack is underway,
to diagnose the attack vectors and attackers, observe whether and how it was
mitigated, and draw conclusions for changing the DoS profile configuration.
You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have a pcap extension and are located in this path on the BIG-IP device: /shared/dosl7/tcpdumps.
Property Description Record Traffic During Attacks Controls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. Select Enabled to specify that the system record traffic when a DoS attack is underway, and display settings. Maximum TCP Dump Duration Specifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds. Maximum TCP Dump Size Specifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB. TCP Dump Repetition Specifies whether the system performs one dump, or multiple dumps, for each DoS attack. - Save your work.
Configure for protocol DNS security
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, click Protocol DNS Security to display the Properties screen.
- On the Properties screen, select the Enabled check box for Protocol DNS Protection.
- To enable Protocol Errors Attack Detection, select the Enabled check box.
-
Specify the adjustable settings as necessary for your configuration.
The system saves settings as you enter them.
-
In the Rate increased by setting, specify that
the system considers traffic to be an attack if the rate of requests
increases above this number.
By default, the system calculates this number every hour, and updates it every minute. The default is 500 percent.
-
In the Rate threshold setting, specify the
number of packets per second that must be exceeded to indicate to the
system that there is an attack.
The default is 250,000 packets per second.
-
In the Rate limit setting, specify the limit in
packets per second.
The default is 2,500,000 packets per second.
-
In the Rate increased by setting, specify that
the system considers traffic to be an attack if the rate of requests
increases above this number.
- At the bottom of the screen, review the Known Attack Types list that shows commonly known DNS query types that you want the system to detect in packets.
-
Enable and customize attack types individually:
- Click the name of the attack type to open the properties screen for it.
- Enable the Detection Status and specify the properties for the attack type detection.
Refer to the BIG-IP® system documentation, BIG-IP® Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type. - Save your work.
Configure for protocol SIP security
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, click Protocol SIP Security to display the Protocol SIP Security Properties screen.
-
On the Properties screen, select the Enabled check box
for Protocol SIP Protection.
The screen displays additional properties.
- To enable Protocol Errors Attack Detection, select the Enabled check box.
-
Specify the adjustable settings as necessary for your configuration.
The system saves settings as you enter them.
Setting Description Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent. Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second. Rate limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second. - At the bottom of the screen, review the Known Attack Types list that shows commonly known SIP method types that you want the system to detect in packets.
-
Enable and customize attack types individually:
- Click the name of the attack type to open the properties screen for it.
- Enable the Detection Status and specify the properties for the attack type detection.
Refer to the BIG-IP® system documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.
Configure for network security
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
- In the DoS Profiles screen, click the profile name you want to configure.
- On the left, click Network Security to display the Properties screen.
-
On the Properties screen, select the check box for Network
Protection.
The screen displays an area for configuring dynamic signatures, and a list of commonly-known network attack types that the system can detect.
-
In the Enforcement setting, select the enforcement state
for dynamic signatures.
This setting is available only for BIG-IP devices version 13.0 or later.
- To enable enforcement of dynamic DoS vectors, select Enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
- To apply no action or thresholds to dynamic vectors, select Disabled.
- To track dynamic vector statistics, without enforcing any thresholds or limits, select Learn-Only.
- In the Mitigation Sensitivity setting, specify the mitigation sensitivity for dynamic signatures (None, Low, Medium, or High).
-
In the Redirection/Scrubbing setting, specify whether to
enable redirection and scrubbing of IP addresses identified by dynamic
vectors.
This enables handling of the dynamic vector hits by an IP intelligence category. Enabling redirection and scrubbing causes additional options to be displayed.
- In the Scrubbing Category setting, select the IP intelligence blacklist category to which scrubbed IP addresses are sent.
- In the Scrubbing Advertisement Time setting, type the duration in seconds for which an IP address is added to the blacklist category.
-
In the Known Attack Types list, enable and customize attack types individually:
- Click the name of the attack type to open the properties screen for it.
- Enable the Detection Status and specify the properties for the attack type detection.
Refer to the BIG-IP® system documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.
Edit DoS profiles
- Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
-
In the DoS Profiles screen, click the name of the profile to modify.
This locks the profile for editing and opens the properties screen.For details, consult these topics:
- Configure for application security
- Configure for protocol DNS security
- Configure for protocol SIP security
- Configure for network security
-
Make edits as needed for your configuration.
The system saves edits as you make them.