You can configure DNS attack settings in a DoS profile that already exists.
The BIG-IP® system handles DNS attacks that use malformed
packets, protocol errors, and malicious attack vectors. Protocol error attack detection
settings detect malformed and malicious packets, or packets that are employed to flood
the system with several different types of
responses, by
detecting packets per second and increasing packet percentages over time
. You can configure settings to identify
and rate limit
possible DNS attacks with a DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The Create New DoS Profile screen opens.
-
In the Profile Name field, type the name for the
profile.
-
To configure DNS security settings, next to Protocol Security
(DNS), select Enabled.
-
To enable attack detection based on the rate of protocol errors, next to
Protocol Errors Attack Detection, select
Enabled.
-
In the Rate Increased by % field, type the rate of
change in protocol errors to detect as anomalous.
The rate of detection compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
-
To change the threshold or rate increase for a particular DNS query type, in
the DNS Query Attack Detection area, select the Enabled
check box for each query type that you want to change, then change the values
for Threshold, Rate Increase, and
Rate Limit in the associated fields.
For example, to change the thresholds for IPv6 address requests, select the
Enabled check box next to
aaaa, then set the threshold for packets per second, the
rate increase percentage to be considered an attack, and rate limit in packets
per second for such packets.
The Rate Increase compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
Note:
DNS Query Attack Detection allows you
to configure the thresholds at which the firewall registers an attack.
Packets are dropped that exceed the Rate
Limit.
-
Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to
malformed DNS attacks, and DNS flood attacks, and to allow such attacks to be identified
in system logs and
reports, and rate
limited.
Associate a DNS profile with a virtual server to enable the virtual server to
handle DNS traffic. Associate the DoS Protection profile with a virtual server to apply
the settings in the profile to traffic on that virtual server. When a DNS attack on a
specific query type is detected, you can configure the DNS security profile to drop
packets of a query type that appears to be an attack vector.