Manual Chapter : Preventing DoS Sweep and Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Preventing DoS Sweep and Flood Attacks

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and are above the rate limit, are dropped.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to check for applications and send responses.

The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and are above the rate limit, are dropped.

The BIG-IP® system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

You can configure DoS sweep and flood prevention through the Device DoS profile.

Detecting and protecting against DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. If you are using remote logging, from the Log Publisher list, select a destination to which the BIG-IP® system sends DoS and DDoS log entries.
  3. In the Category column, expand the Single Endpoint category.
  4. Click Single Endpoint Flood.
    The Single Endpoint Flood screen opens.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the flood attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  6. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for flood attacks in the Available list, and click << to move them to the Selected list.
  8. Click the Update button.
    The flood attack configuration is updated, and the DoS Protection Device Configuration screen opens again.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically want to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. If you are using remote logging, from the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
  3. In the Category column, expand the Single Endpoint category.
  4. Click Single Endpoint Sweep.
    The Single Endpoint Sweep screen opens.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the sweep attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  6. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for sweep flood attacks in the Available list, and click << to move them to the Selected list.
  8. Click the Update button.
    The sweep attack configuration is updated, and the DoS Protection Device Configuration screen opens again.
Now you have configured the system to provide protection against DoS sweep attacks, and to allow such attacks to be identified in system logs and reports.
Configure flood attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Allowing addresses to bypass DoS checks with a whitelist

You can specify whitelist addresses that the DoS profile and DoS Device Configuration do not subject to DoS checks. Whitelist entries are shared between the Dos Protection profile and the DoS Device Configuration.
  1. On the Main tab, click Security > DoS Protection > White List .
    The DoS Protection White List screen opens.
  2. Click Create.
    The New White List Configuration screen opens.
  3. In the Name field, type a name for the whitelist entry.
  4. In the Description field, type a description for the whitelist entry.
  5. From the Protocol list, select the protocol for the whitelist entry. You can select TCP, UDP, or ICMP.
  6. In the Source area, specify a source address to allow to pass the DoS checks, or select any address. You can also specify a source VLAN to pass DoS checks, or any VLAN.
  7. In the Destination area, specify a destination address to allow to pass the DoS checks, or select any address. You can also specify a destination port to pass DoS checks, or any port.
  8. Click Finished to add the whitelist entry to the configuration. Click Repeat to add the whitelist entry, and star a new entry.
    You can add up to eight DoS whitelist entries to the configuration.
You have now configured whitelist addresses that are allowed to bypass DoS checks.