F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. F5 BIG-IQ Centralized Management: Security
  5. Managing DoS Profiles in Shared Security
Manual Chapter : Managing DoS Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About DoS profiles

A denial-of-service attack (DoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.

Using Shared Security, you can configure DoS profiles to help prevent network, SIP, and DNS DoS and DDoS attacks, and to detect and protect against DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic).

DoS profile considerations when deploying to BIG-IP device clusters

In some cases, deploying a configuration containing a DoS profile from BIG-IQ® Centralized Management to a BIG-IP® device cluster can cause the cluster to become unsynchronized. If that occurs, manually synchronize the BIG-IP device cluster. Then, reimport the BIG-IP system configuration to BIG-IQ Centralized Management, and select Use BIG-IP system as the operation to resolve any differences.

DoS profile considerations when managing multiple BIG-IP device versions

You use BIG-IQ Centralized Management to manage multiple BIG-IP devices which can have multiple versions. In most cases, this is handled seamlessly. However, in certain cases, objects differ significantly between BIG-IP device versions, and these objects require special handling when shared between BIG-IP device versions.

  • Address lists in DoS profiles

    DoS profiles that have address lists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later.

  • Whitelists in DoS profiles

    DoS profiles that have whitelists configured cannot be shared between BIG-IP devices that are version 12.1 or earlier and BIG-IP devices that are version 13.0 or later. In the BIG-IQ Centralized Management DoS Profile, you configure whitelists differently, based on the BIG-IP device version you are managing.

    • To use a DoS profile to manage a BIG-IP device version 12.1 or earlier, select a whitelist value using the IP Address Whitelist setting on the DoS Profile Application Security Properties screen.
    • To use a DoS profile to manage a BIG-IP device version 13.0 or later, select a whitelist value using the HTTP Whitelist setting on the DoS Profile Properties screen.

    Do not select a value for both the HTTP Whitelist and the IP Address Whitelist settings in the same DoS profile.

Create DoS profiles

You can create a DoS profile and configure the circumstances under which the system considers traffic to be a DoS attack, and how the system handles a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click Create.
  3. In the New DoS Profile screen, add and set the properties as appropriate.
  4. In the Name setting, specify a unique name for the DoS profile.
  5. in the Description setting, specify an optional description for the DoS profile.
  6. In the Partition setting, specify the partition to which the DoS profile belongs. You can replace the default Common partition when creating DoS profiles by typing a unique name for a new partition.
    The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
  7. In the Threshold Sensitivity setting, specify the threshold sensitivity for the DoS profile. Thresholds for detecting attacks are higher when sensitivity is Low , and lower when sensitivity is High.
    This property is not used with the Application Security protection type.
  8. In the Source IP Address Whitelist setting, specify the configuration of the Source IP address white list.
    This property is not used with the Application Security protection type.
  9. In the HTTP Whitelist setting, specify the HTTP whitelist to use.
    This setting is applied only to BIG-IP devices version 13.0, or later.
  10. Select a DoS protection type from the list on the left.
    Option Description
    Application Security Click Application Security > Properties , then select the Application Securitycheck box, Enabled.

    When enabled, this protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature. Supply or modify any necessary property values.
    Protocol DNS Click Protocol DNS, then select the Protocol DNS Protection check box, Enabled.

    When enabled, this protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature. Supply or modify any necessary property values.
    Protocol SIP Click Protocol SIP, then select the Protocol SIP Protectioncheck box, Enabled.

    When enabled, this protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.
    Network Click Network, then select the Network Protection check box, Enabled.

    When enabled, this protects your server against network DoS attacks. Supply or modify any necessary property values.
  11. When you are finished, save your work.
The new DoS profile is added to the list of profiles.

Configure for application security

Your virtual server must include an HTTP profile to use the application security feature.
You can configure the conditions under which the system determines that your application is under a DoS attack, and how the system reacts to a suspected attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name to configure.
  3. On the left, click Application Security to expand the list.
  4. Click Properties to display the General Settings screen and configure the application security general settings.
    1. In the Application Securitysetting, select Enabled to use application security protection and display additional properties.
    2. In the IP Address Whitelist setting, specify the IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
      • To add an IP address to the whitelist, type it in the upper field, and click Add. The IP address is added to the whitelist in the lower field.
      • To delete an IP address from the whitelist, select the IP address from the whitelist in the lower field, and click Remove.
      This setting is applied only to BIG-IP devices earlier than version 13.0.
    3. In the Geolocations setting, specify that you want to override the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
      • To allow traffic from a country, select the country and move it to the Geolocation Whitelist.
      • To block traffic from a country, select the country and move it to the Geolocation Blacklist.
    4. In the Trigger iRule setting, enable this setting if you have an iRule that manages DoS events in a customized manner.
    5. In the Single Page Application setting, enable this setting if your website is a single page application.
    6. In the URL Patterns setting, Configure the URL patterns to be used. Each URL pattern defines a set of URLs which are logically the same URL with the varying part of the pattern acting as a parameter, such as /product/*php
      • To add the URL pattern to the list, type the URL pattern and click Add.
      • To remove the URL pattern from the list, select the pattern from the URL Patterns list, and click Remove.
  5. To use the Proactive Bot Defense screen to configure those settings, click Proactive Bot Defense.
    Property Description
    Operation Mode Specifies the conditions under which the system detects and blocks bots. Select Off, During Attacks, or Always. If Off is selected, no other settings are displayed on this tab.
    Block requests from suspicious browsers Strengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
    • Select the Block Suspicious Browsers check box to enable or disable blocking of suspicious browsers.
    • Select the CAPTCHA Challenge check box to enable or disable issuing a challenge. Click CAPTCHA Response Settings to select the responses to use.
    Grace Period Specifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or click Reset to Default to reset the value.
    Cross-Domain Requests You can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of the Cross-Domain Requests options.
    Related Site Domains Specifies the domains that are part of the web site and protected by Proactive Bot Defense. Add domains by typing a domain in the text box and clicking Add. Remove a domain by selecting it and clicking Remove.
    Related External Domains Specifies the external domains (those not part of your web site) that are allowed to reference resources in your website. Add domains by typing a domain in the field and clicking Add. Remove a domain by selecting it in the text box and clicking Remove.
    URL Whitelist Specifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the whitelist by typing a URL in the text box and clicking Add. Remove a URL by selecting it and clicking Remove.
  6. To use the Bot Signatures screen to configure those settings, click Bot Signatures.
    Property Description
    Bot Signature Check Select Enabled to display settings. You cannot disable the Bot Signature Check property while Proactive Bot Detection, TPS-based Detection with By Device ID selected, or Stress-based Detection with By Device ID selected, is enabled. To disable the Bot Signature Check property, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disabling Bot Signature Check, you can disable categories of bot signatures individually.
    Malicious Categories and Benign Categories These two category lists are handled similarly.

    For either category, select None, Report, or Block. That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for the Malicious Categories or Benign Categories changes to Custom Configuration. A user cannot set all categories to None and keep Proactive Bot Defense enabled.
    Disabled Bot Signatures Specifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between the Available Signatures list and the Disabled Signatures list.
  7. To configure settings for the detection of DoS attacks based on a high volume of incoming traffic, click TPS-based Detection.
    Property Description
    Operation Mode Specifies how the system reacts when it detects an attack, and can be Off, Transparent, or Blocking. If set to Off, no other properties are shown.
    Thresholds Mode Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select Manual.
    • To use the system default mitigation threshold settings, select Automatic.
    Your Thresholds Mode selection affects which threshold options are available in the other sections on this screen.
    By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the Click to configure link next to the option to do so.
    Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  8. To configure settings for the detection of DoS attacks based on server stress, click Stress-based Detection.
    Property Description
    Operation Mode Specifies how the system reacts when it detects a stress-based attack, and can be Off, Transparent or Blocking. If set to Off, no other properties are shown.
    Thresholds Mode Specifies how thresholds are configured.
    • To configure each mitigation behavior threshold manually, select Manual.
    • To use the system default mitigation threshold settings, select Automatic.
    Your Thresholds Mode selection affects which threshold options are available in the other sections on this screen.
    By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL. Heavy URL Protection can also be enabled, but needs to be configured. Click the Click to configure link next to the option to do so.
    Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Detection and Mitigation Specifies the mitigation behavior, and when enabled, the selected level of mitigation to use.
    • For the Bad actors behavior detection setting, select Enabled to perform traffic behavior, server capacity learning, and anomaly detection.
    • For the Request signatures detection setting, select Enabled to perform signature detection. Select Use approved signatures only to use only approved signatures.
    • For the Mitigation setting, select the type of mitigation to be used. Review the description of each mitigation type to select the best one for your environment,
    Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  9. To configure settings for protecting heavy URLs during DoS attacks, click Heavy URL Protection.
    Heavy URLs are those which have a potential to cause stress on the server, even with a low TPS count.
    Property Description
    Automatic Detection Select Enabled to automatically detect heavy URLs of the application, in addition to the URLs entered manually.
    Heavy URLs You can configure a list of heavy URLs to protect in addition to the automatically detected ones. Type a URL in the top field, and click Add. Optionally, for a BIG-IP device version 13.0 or later, enter a threshold value. To remove a URL from the list, select the URL from the text box, and click Remove
    Ignored URLs You can configure a list of URLs that are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the top field, and click Add. To remove a URL from the list, select the URL from the text box, and click Remove
    Latency Threshold If Automatic Detection is enabled, set the Latency Threshold setting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is 1000 milliseconds. Click Reset to default to reset the value to 1000.
  10. To define the responses to use when issuing a challenge, click CAPTCHA Response Settings.
    Note: The exact format of a response body differs depending on the version of the BIG-IP device. Test and verify that any custom response you create works with your installed BIG-IP version.
    1. For the First Response Type, select Default to use the default response, or select Custom to create your own first response body by entering it into the First Response Body area.
      Here is an example first response body: 
      This question is for testing whether you are a human visitor and to prevent automated spam submission.
<br>
%DOSL7.captcha.image% %DOSL7.captcha.change%
<br>
<b>What code is in the image?</b>
%DOSL7.captcha.solution%
<br>
%DOSL7.captcha.submit%
<br>
<br>
Your support ID is: %DOSL7.captcha.support_id%
    2. For the Failure Response Type, select Default to use the default response or select Custom to create your own failure response body by entering it into the Failure Response Body area.
      Here is an example failure response body: 
      You have entered an invalid answer for the question. Please, try again.
<br>
%DOSL7.captcha.image% %DOSL7.captcha.change%
<br>
<b>What code is in the image?</b>
%DOSL7.captcha.solution%
<br>
%DOSL7.captcha.submit%
<br>
<br>
Your support ID is: %DOSL7.captcha.support_id%
  11. Click Record Traffic to configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    You can record traffic and collect the TCP dump files into the QuickView file so that F5 Support can use it for solving customer cases. The files have a pcap extension and are located in this path on the BIG-IP device: /shared/dosl7/tcpdumps.
    Property Description
    Record Traffic During Attacks Controls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. Select Enabled to specify that the system record traffic when a DoS attack is underway, and display settings.
    Maximum TCP Dump Duration Specifies the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.
    Maximum TCP Dump Size Specifies the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.
    TCP Dump Repetition Specifies whether the system performs one dump, or multiple dumps, for each DoS attack.
  12. Save your work.
The settings are incorporated into the DoS profile.

Configure for protocol DNS security

You can configure the conditions under which the system determines that your DNS server is under a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click Protocol DNS Security to display the Properties screen.
  4. On the Properties screen, select the Enabled check box for Protocol DNS Protection.
  5. To enable Protocol Errors Attack Detection, select the Enabled check box.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    1. In the Rate increased by setting, specify that the system considers traffic to be an attack if the rate of requests increases above this number.
      By default, the system calculates this number every hour, and updates it every minute. The default is 500 percent.
    2. In the Rate threshold setting, specify the number of packets per second that must be exceeded to indicate to the system that there is an attack.
      The default is 250,000 packets per second.
    3. In the Rate limit setting, specify the limit in packets per second.
      The default is 2,500,000 packets per second.
  7. At the bottom of the screen, review the Known Attack Types list that shows commonly known DNS query types that you want the system to detect in packets.
  8. Enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP® system documentation, BIG-IP® Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type.
  9. Save your work.

Configure for protocol SIP security

Your virtual server must include a SIP profile to configure protocol SIP security in the DoS profile.
You can configure the conditions under which the system determines that your server, running SIP (Session Initiation Protocol), is under a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click Protocol SIP Security to display the Protocol SIP Security Properties screen.
  4. On the Properties screen, select the Enabled check box for Protocol SIP Protection.
    The screen displays additional properties.
  5. To enable Protocol Errors Attack Detection, select the Enabled check box.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    Setting Description
    Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
    Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
    Rate limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
  7. At the bottom of the screen, review the Known Attack Types list that shows commonly known SIP method types that you want the system to detect in packets.
  8. Enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP® system documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.

Configure for network security

You can configure the conditions under which the system determines that your server is under a network DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click Network Security to display the Properties screen.
  4. On the Properties screen, select the check box for Network Protection.
    The screen displays an area for configuring dynamic signatures, and a list of commonly-known network attack types that the system can detect.
  5. In the Enforcement setting, select the enforcement state for dynamic signatures.
    This setting is available only for BIG-IP devices version 13.0 or later.
    • To enable enforcement of dynamic DoS vectors, select Enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Enabling enforcement causes additional options to be displayed.
    • To apply no action or thresholds to dynamic vectors, select Disabled.
    • To track dynamic vector statistics, without enforcing any thresholds or limits, select Learn-Only.
  6. In the Mitigation Sensitivity setting, specify the mitigation sensitivity for dynamic signatures (None, Low, Medium, or High).
  7. In the Redirection/Scrubbing setting, specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors.
    This enables handling of the dynamic vector hits by an IP intelligence category. Enabling redirection and scrubbing causes additional options to be displayed.
  8. In the Scrubbing Category setting, select the IP intelligence blacklist category to which scrubbed IP addresses are sent.
  9. In the Scrubbing Advertisement Time setting, type the duration in seconds for which an IP address is added to the blacklist category.
  10. In the Known Attack Types list, enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP® system documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.

Edit DoS profiles

You can edit DoS profiles to fine tune what the system considers to be a DoS attack, and how the system handles a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Protection > DoS Profiles .
  2. In the DoS Profiles screen, click the name of the profile to modify.
    This locks the profile for editing and opens the properties screen.
    For details, consult these topics:
    • Configure for application security
    • Configure for protocol DNS security
    • Configure for protocol SIP security
    • Configure for network security
  3. Make edits as needed for your configuration.
    The system saves edits as you make them.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information