Applies To:

Show Versions Show Versions

Manual Chapter: Detecting and Preventing Network DoS Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Detecting and Preventing Network DoS Attacks

About configuring the BIG-IP system to detect Network DoS attacks

Network DoS protection is a type of security that collects several DoS checks in a DoS security profile. Attack detection and prevention serves two functions:

  • To detect and report on packets based on behavior characteristics of the sender or characteristics of the packets.
  • To detect, report, and rate limit unusual increases in packets that signify specific known attack vectors.

You can configure the Network DoS Protection profile to detect possible attack vectors by packet-per-second or percentage-increase-over-time thresholds, which can indicate that a possible attack is in process. Such attacks can be logged and reported through system logging facilities. You can also rate limit packets of known vectors.

You can define whitelist addresses that the DoS check allows. A whitelist DoS address is passed by the DoS profile, without being subject to the checks in the DoS profile.

DoS protection requires that your virtual server includes a DoS profile that includes network security.

Task summary

Detecting and protecting against network denial-of-service attacks with a DoS profile

You can configure network attack settings in a DoS profile.
The BIG-IP® system handles network attacks that use malformed packets and malicious attack vectors. Possible malicious packets and attacks are detected by logging when packets exceed a threshold of packets per second, and by detecting the rate increase percentage increase in packets of a certain type over time . You can configure settings to identify and rate limit possible network attacks with a DoS profile. For sweep packets, you can also automatically blacklist IPs.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. In the Profile Name field, type the name for the profile.
  4. To configure network security settings, under Network click General Settings, click Edit in the far right column, then select Enabled.
  5. To change the threshold or rate increase for a particular network attack, in the Network Attack Types area, click Edit in the far right column, select the Enabled check box for each attack type that you want to configure, then change the values for Threshold, Rate Increase, and Rate Limit in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the Enabled check box next to IP Fragment Flood, then set the Threshold field to 9999 and the Rate Increase field to 250. To rate limit such requests to 33,000 packets per second, set the Rate Limit field to 33000,
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the Rate Limit setting, not at the attack detection threshold.
  6. Click Update to save your changes.
You have now configured a DoS Protection profile to analyze network packet behavior for DoS attacks, to allow specific configured attacks to be identified in system logs and reports, and to allow rate limiting of such attacks. DNS queries on particular record types you have configured in the DNS Query Attack Detection area are detected as attacks at your specified thresholds and rate increases, and rate limited as specified.
Associate the DoS profile with a virtual server to enable network DoS protection.

Detecting and protecting against DoS sweep attacks with a DoS profile

Within a DoS profile, you can set detection thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP addresses that you detect perpetrating such attacks. Use the DoS profile where you want greater granularity than the Device DoS settings, because you can attach the DoS profile to a virtual server.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. In the Profile Name field, type the name for the profile.
  4. To configure network security settings, under Network click General Settings, click Edit in the far right column, then select Enabled.
  5. To change the threshold, rate increase, rate limit, and blacklist settings for a sweep attack, in the Network Attack Types area, click Edit in the far right column, select Sweep, and select the Enabled check box. Change the values for Threshold, Rate Increase, and Rate Limit in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the Enabled check box next to IP Fragment Flood, then set the Threshold field to 9999 and the Rate Increase field to 250.. To rate limit such requests to 33,000 packets per second, set the Rate Limit field to 33000,
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the Rate Limit setting, not at the attack detection threshold.
  6. Next to Auto-blacklisting, select Enabled.
  7. In the Blacklist Detection Period field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds). Enabled.
  8. In the Blacklist Duration field, specify the amount of time in seconds that the address will remain on the blacklist. The default is 14400 (4 hours).
  9. From the Blacklist Category list, select a black list category to apply to automatically blacklisted addresses.
  10. Click Update to save your changes.
You have now configured a DoS Protection profile to automatically blacklist IP addresses that employ sweep attacks. Sweep attacks are also logged and rate-limited at the specified thresholds and limits.
Associate the DoS profile with a virtual server to enable network DoS protection.

DoS profile attack types

You can specify specific threshold, rate increase, rate limit, and other parameters for supported network DoS attack types, to more accurately detect, track, and rate limit attacks.

Attention: All hardware-supported vectors are performed in hardware on vCMP® guests, provided that the vCMP guests have the same software version as the vCMP host.
DoS Category Attack Name Dos Vector Name Information Hardware accelerated
+ TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
+ IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options Yes
+ IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
+ IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
+ IPv6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Yes
+ Too Many Extended Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
+ Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length Yes
+ TCP Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious Yes
+ TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header. Yes
+ Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type Yes
+ ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets Yes
+ ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets Yes
+ IP Fragment Flood ip-frag-flood Fragmented packet flood with IPv4 Yes
+ IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6 Yes
+ TCP RST Flood tcp-rst-flood TCP RST flood Yes
+ TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood Yes
+ TCP SYN Flood tcp-syn-flood TCP SYN flood Yes
+ TCP Window Size tcp-window-size The TCP window size in packets exceeds the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. Yes
+ TCP SYN Oversize tcp-syn-oversize Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value . The default size is 128 and the maximum allowable value is 9216. No
+ UDP Flood udp-flood UDP flood attack Yes
+ ICMP Fragment icmp-frag ICMP fragment flood Yes
+ Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. You can also configure automatic blacklisting for IPs that initiate sweep attacks, using the IP intelligence mechanism. No
+ Host Unreachable host-unreachable Host unreachable error Yes
+ TIDCMP tidcmp ICMP source quench attack Yes

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol.
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  4. From the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Allowing addresses to bypass DoS checks with a whitelist

You can specify whitelist addresses that the DoS profile and DoS Device Configuration do not subject to DoS checks. Whitelist entries are shared between the Dos Protection profile and the DoS Device Configuration.
  1. On the Main tab, click Security > DoS Protection > White List .
    The DoS Protection White List screen opens.
  2. Click Create.
    The New White List Configuration screen opens.
  3. In the Name field, type a name for the whitelist entry.
  4. In the Description field, type a description for the whitelist entry.
  5. From the Protocol list, select the protocol for the whitelist entry.
    The options are Any, TCP, UDP, ICMP, or IGMP.
  6. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    You can also use Any to specify any address or VLAN.
  7. For the Destination setting, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use Any to specify any address or port.
  8. Click Finished to add the whitelist entry to the configuration. Click Repeat to add the whitelist entry, and star a new entry.
    You can add up to eight DoS whitelist entries to the configuration.
You have now configured whitelist addresses that are allowed to bypass DoS checks.

Creating a custom DoS Protection Logging profile to log DNS attacks

Create a custom Logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. Select the Protocol Security check box, to enable the BIG-IP® system to log HTTP, FTP, DNS, and SMTP protocol request events.
  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  5. Select the Log Dropped Requests check box, to enable the BIG-IP system to log dropped DNS requests.
  6. Select the Log Filtered Dropped Requests check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    Note: The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  7. Select the Log Malformed Requests check box, to enable the BIG-IP system to log malformed DNS requests.
  8. Select the Log Rejected Requests check box, to enable the BIG-IP system to log rejected DNS requests.
  9. Select the Log Malicious Requests check box, to enable the BIG-IP system to log malicious DNS requests.
  10. From the Storage Format list, select how the BIG-IP system formats the log. Your choices are:
    Option Description
    None Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List This option allows you to:
    • Select from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined This option allows you to:
    • Select from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  11. Select the DoS Protection check box.
  12. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  13. Click Finished.
Assign this custom DoS Protection Logging profile to a virtual server.

Configuring an LTM virtual server for DoS Protection event logging

Ensure that at least one Log Publisher exists on the BIG-IP® system.
Assign a custom DoS Protection Logging profile to a virtual server when you want the BIG-IP system to log DoS Protection events on the traffic the virtual server processes.
Note: This task applies only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays firewall rule settings.
  4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.
  5. Click Update to save the changes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)