Manual Chapter : Detecting and Protecting Against DoS DDoS and Protocol Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Detecting and Protecting Against DoS, DDoS, and Protocol Attacks

About detecting and protecting against DoS, DDoS, and protocol attacks

Attackers can target the BIG-IP® system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS attack routes. These DoS attack prevention methods are available when the Advanced Firewall Manager™ is licensed and provisioned.

DoS and DDoS attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a machine or network resource unavailable to users. DoS attacks require the efforts of one or more people to disrupt the services of a host connected to the Internet. The Advanced Firewall Manager allows you to configure packet limits, percentage increase thresholds, and absolute rate limits of a wide variety of packets that attackers leverage as attack vectors, to detect and prevent attacks of this type. Configure responses to such attacks in the Device DoS profile.
DNS and SIP flood (or DoS) attacks
Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension, or a particular SIP request type. The BIG-IP system allows you to track such attacks, using the DoS Protection profile.
DoS Sweep and Flood attacks
A sweep attack is a network scanning technique that sweeps your network by sending packets, and using the packet responses to determine responsive hosts. Sweep and Flood attack prevention allows you to configure system thresholds for packets that conform to typical sweep or flood attack patterns. This configuration is set in the Device DoS profile.
Malformed DNS packets
Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Malformed SIP packets
Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Protocol exploits
Attackers can send DNS requests using unusual DNS query types or opcodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS opcodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks. This configuration is set in the DNS Security profile.

About profiles for DoS and DNS service attacks

On your BIG-IP® system, you can use different profiles to detect and protect against system DoS attacks, and specific protocol attacks for DNS and SIP.

DoS Protection profile
The DoS Protection profile allows you to configure the response thresholds on the BIG-IP system for malformed DNS and SIP packets. Malformed packets are dropped by the system. The DoS Protection profile also allows you to configure the threshold increase of packets of specific DNS query types, and SIP request types. You can use SNMP alerts generated by these items, and information reported in real-time reports and in system logs, to mitigate a specific DNS query type attack; for example, by blocking it with the DNS security profile. You can also track SIP requests through alerts, though this is informational only.
DNS Security profile
The DNS Security profile allows you to configure the BIG-IP system to exclude (drop) or include (allow) packets of specific DNS query types. You can also configure the profile to drop specific DNS header opcodes.