F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
  5. Detecting and Preventing DNS DoS Attacks
Manual Chapter : Detecting and Preventing DNS DoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Detecting and Preventing DNS DoS Attacks

About configuring the BIG-IP system to detect DNS DoS attacks

DNS DoS protection is a type of protocol security. DNS attack detection and prevention serves two functions:

  • To detect and rate limit DNS packets that have errors that could be considered malicious.
  • To log unusual increases in DNS packets that contain errors, or DNS Query packets that rapidly increase, and to rate limit such packets.

You can use the DNS DoS Protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular DNS query type, or an increase in anomalous packets. Later, you can use reporting or logging functions to detect such packets, and you can use the DNS Security profile to rate limit DNS query packets.

You can define whitelist addresses that the DoS check allows. A whitelist DoS address is passed by the DoS profile, without being subject to the checks in the DoS profile.

DNS DoS protection requires that your virtual server includes a DNS profile, and a DoS profile that includes DNS protocol security.

Task list

Detecting and protecting against DNS denial-of-service attacks with a DoS profile

You can configure DNS attack settings in a DoS profile that already exists.
The BIG-IP® system handles DNS attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses, by detecting packets per second and detecting percentage increase in packets over time . You can configure settings to identify and rate limit possible DNS attacks with a DoS profile.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. Under Profile Information, click General Settings, and in the Profile Name field, type the name for the profile.
  4. To configure DNS security settings, click Protocol DNS, click Edit in the far right column, then select Enabled.
  5. To enable attack detection based on the rate of protocol errors, next to Protocol Errors Attack Detection, click Edit in the far right column, then select Enabled.
  6. In the Rate Increased by % field, type the rate of change in protocol errors to detect as anomalous.
    The rate of detection compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
  7. In the Rate threshold field, type the rate of packets with errors per second to detect.
    This threshold sets an absolute limit which, when exceeded, registers an attack.
  8. In the Rate limit field, type the absolute limit for packets per second with protocol errors. Packets that exceed this limit are dropped.
  9. To change the threshold or rate increase for a particular DNS record, in the DNS Query Attack Detection area, click Edit in the far right column, select the Enabled check box for each record type that you want to configure, then change the values for Threshold, Rate Increase, and Rate Limit in the associated fields.
    For example, to change the detection threshold for IPv6 address requests to 9,999 per second, or an increase of 250% over the average, select the Enabled check box next to aaaa, then set the Threshold field to 9999 and the Rate Increase field to 250. To rate limit such requests to 33,000 packets per second, set the Rate Limit field to 33000.
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: DNS Query Attack Detection allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the Rate Limit setting, not at the attack detection threshold.
  10. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
  11. In the Per Source IP Detection (PPS) field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the Per Source IP Rate Limit (PPS) field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select Blacklist Attacking Address.
    Note: Automatic IP address blacklisting is enabled only when Bad Actor Detection is enabled.
  14. Specify the Detection Time, in seconds, after which an IP address is blacklisted.
    When a Bad Actor IP address exceeds the Per Source IP Detection PPS setting for the Detection Time period, that IP address is added to the blacklist.
  15. To change the duration for which the address is blacklisted, specify the duration in seconds in the Duration field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  16. Select the Blacklist Category to which blacklist entries generated by Bad Actor Detection are added.
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisements.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher at Security > Options > Blacklist Publisher for the blacklist category.
  18. Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to malicious DNS attacks, and DNS flood attacks, to allow such attacks to be identified in system logs and reports, and to allow rate limiting of such attacks. DNS queries on particular record types you have configured in the DNS Query Attack Detection area are detected as attacks at your specified thresholds and rate increases, and rate limited as specified.
Associate a DNS profile with a virtual server to enable the virtual server to handle DNS traffic. Associate the DoS Protection profile with a virtual server to apply the settings in the profile to traffic on that virtual server.

Creating a custom DNS profile to firewall DNS traffic

Ensure that you have a DNS security profile created before you configure this system DNS profile.
You can create a custom DNS profile to configure the BIG-IP® system firewall traffic through the system.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the DNS Traffic area, from the DNS Security list, select Enabled.
  7. In the DNS Traffic area, from the DNS Security Profile Name list, select the name of the DNS firewall profile.
  8. Click Finished.
Assign the custom DNS profile to the virtual server that handles the DNS traffic that you want to firewall.

Assigning a DNS profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the DNS Profile list, select the profile you want to assign to the virtual server.
  5. Click Update.
The virtual server now handles DNS traffic.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol.
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  4. On the menu bar, from the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Allowing individual addresses to bypass DoS checks

You can specify whitelist addresses that the DoS profile and DoS Device Configuration do not subject to DoS checks. Whitelist entries are shared between the Dos Protection profile and the DoS Device Configuration.
  1. On the Main tab, click Security > DoS Protection > White List .
    The DoS Protection White List screen opens.
  2. To use an address list as a source whitelist, select the address list from Source Address List.
  3. Click Create.
    The New White List Configuration screen opens.
  4. In the Name field, type a name for the whitelist entry.
  5. In the Description field, type a description for the whitelist entry.
  6. From the Protocol list, select the protocol for the whitelist entry.
    The options are Any, TCP, UDP, ICMP, or IGMP.
  7. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    You can also use Any to specify any address or VLAN.
  8. For the Destination setting, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use Any to specify any address or port.
  9. Click Finished to add the whitelist entry to the configuration. Click Repeat to add the whitelist entry, and start a new entry.
    You can add up to eight DoS whitelist entries to the configuration.
You have now configured whitelist addresses that are allowed to bypass DoS checks.

Creating a custom DoS Protection Logging profile to log DNS attacks

Create a custom Logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. Select the Protocol Security check box, to enable the BIG-IP® system to log HTTP, FTP, DNS, and SMTP protocol request events.
  4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  5. Select the Log Dropped Requests check box, to enable the BIG-IP system to log dropped DNS requests.
  6. Select the Log Filtered Dropped Requests check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    Note: The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  7. Select the Log Malformed Requests check box, to enable the BIG-IP system to log malformed DNS requests.
  8. Select the Log Rejected Requests check box, to enable the BIG-IP system to log rejected DNS requests.
  9. Select the Log Malicious Requests check box, to enable the BIG-IP system to log malicious DNS requests.
  10. From the Storage Format list, select how the BIG-IP system formats the log. Your choices are:
    Option Description
    None Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List This option allows you to:
    • Select from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined This option allows you to:
    • Select from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  11. Select the DoS Protection check box.
  12. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  13. Click Finished.
Assign this custom DoS Protection Logging profile to a virtual server.

Configuring an LTM virtual server for DoS Protection event logging

Ensure that at least one Log Publisher exists on the BIG-IP® system.
Assign a custom DoS Protection Logging profile to a virtual server when you want the BIG-IP system to log DoS Protection events on the traffic the virtual server processes.
Note: This task applies only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays network firewall security settings.
  4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.
  5. Click Update to save the changes.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information