Applies To:

Show Versions Show Versions

Manual Chapter: Preventing DoS Sweep and Flood Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Preventing DoS Sweep and Flood Attacks

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and are above the rate limit, are dropped.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to check for applications and send responses.

The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and are above the rate limit, are dropped.

The BIG-IP® system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

You can configure DoS sweep and flood prevention through the Device DoS profile.

Detecting and protecting against single endpoint DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. To log DoS events to a log publisher, from the Log Publisher list, select a destination to which the BIG-IP® system sends DoS and DDoS log entries, and click Update.
  3. In the Category column, expand the Single Endpoint category.
  4. Click Single Endpoint Flood.
    The Single Endpoint Flood screen opens.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  8. Click the Update button.
    The flood attack configuration is updated, and the DoS Protection Device Configuration screen opens again.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically want to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. To log DoS events to a log publisher, from the Log Publisher list, select a destination to which the BIG-IP® system sends DoS and DDoS log entries, and click Update.
  3. In the Category column, expand the Single Endpoint category.
  4. Click Single Endpoint Sweep.
    The Single Endpoint Sweep screen opens.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  8. Click the Update button.
    The sweep attack configuration is updated, and the DoS Protection Device Configuration screen opens again.
Now you have configured the system to provide protection against DoS sweep attacks, and to allow such attacks to be identified in system logs and reports.
Configure flood attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against UDP flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for UDP flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration .
    The DoS Protection Device Configuration screen opens.
  2. To log DoS events to a log publisher, from the Log Publisher list, select a destination to which the BIG-IP® system sends DoS and DDoS log entries, and click Update.
  3. In the Category column, expand the Flood category.
  4. Click UDP Flood.
    The UDP Flood screen opens.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  8. From the UDP Port List Type list, select Include All Ports or Exclude All Ports.
    An Include list checks all the ports you specify in the UDP Port List, using the specified threshold criteria, and ignores all others.
    An Exclude list excludes all the ports you specify in the UDP Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  9. In the UDP Port List area, type a port number to add to an exclude or include UDP port list.
  10. In the UDP Port List area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None does not include or exclude the port.
    • Source only includes or excluded the port from source packets only.
    • Destination only includes or excludes the port for destination packets only.
    • Both Source and Destination includes or excludes the port in both source and destination packets.
  11. Click the Update button.
    The UDP Flood attack configuration is updated, and the DoS Protection Device Configuration screen opens again.
Now you have configured the system to provide customized protection against UDP flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep and flood attack prevention, and configure any other DoS responses, in the DoS device configuration screens. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Allowing addresses to bypass DoS checks with a whitelist

You can specify whitelist addresses that the DoS profile and DoS Device Configuration do not subject to DoS checks. Whitelist entries are shared between the Dos Protection profile and the DoS Device Configuration.
  1. On the Main tab, click Security > DoS Protection > White List .
    The DoS Protection White List screen opens.
  2. Click Create.
    The New White List Configuration screen opens.
  3. In the Name field, type a name for the whitelist entry.
  4. In the Description field, type a description for the whitelist entry.
  5. From the Protocol list, select the protocol for the whitelist entry.
    The options are Any, TCP, UDP, ICMP, or IGMP.
  6. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    You can also use Any to specify any address or VLAN.
  7. For the Destination setting, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use Any to specify any address or port.
  8. Click Finished to add the whitelist entry to the configuration. Click Repeat to add the whitelist entry, and star a new entry.
    You can add up to eight DoS whitelist entries to the configuration.
You have now configured whitelist addresses that are allowed to bypass DoS checks.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)