Applies To:
Show Versions
F5 DDoS Hybrid Defender
- 13.0.0
About DoS sweep and flood attack prevention
A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.
The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack originates.
A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large number of UDP packets, requiring the system to verify applications and send responses.
The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.
You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.
Sweep and flood is the first prevention that is limited to the affected hosts. For example, the Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits just the traffic to the targeted host. Collateral damage is much lower by mitigating these vectors. You can set the limits lower than would be reasonable for the indiscriminate vectors.