F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP System: DoS Protection and Protocol Firewall Implementations
  5. Preventing Global DoS Sweep and Flood Attacks
Manual Chapter : Preventing Global DoS Sweep and Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also configure the sweep vector to automatically blacklist an IP address from which the sweep attack originates.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to verify applications and send responses.

The flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.

The BIG-IP® system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

You can configure DoS sweep and flood prevention through DoS Protection >Device Configuration > Network Security.

Task list

Detecting and protecting against single endpoint DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Single-Endpoint category.
  3. Click Single Endpoint Flood.
    The Single Endpoint Flood settings open on the right side of the screen.
  4. Next to the DoS vector name, select Enforce.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Rate Limit Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. Select the Blacklist Address check box to enable automatic blacklisting.
  8. From the Blacklist Category list, select a black list category to apply to automatically blacklisted addresses.
  9. In the Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds). Enabled.
  10. In the Duration field, specify the amount of time in seconds that the address will remain on the blacklist. The default is 14400 (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher at Security > Options > External Redirection > Blacklisting for the blacklist category.
  12. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  13. Click the Update button.
    The flood attack configuration is updated on the Device Protection screen.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically want to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP addresses that you detect perpetrating such attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Single-Endpoint category.
  3. Click Single Endpoint Sweep.
    The Single Endpoint Sweep settings open on the right side of the screen.
  4. Next to the DoS vector name, select Enforce.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Rate Limit Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. Select the Blacklist Address check box to enable automatic blacklisting.
  8. From the Blacklist Category list, select a black list category to apply to automatically blacklisted addresses.
  9. In the Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds). Enabled.
  10. In the Duration field, specify the amount of time in seconds that the address will remain on the blacklist. The default is 14400 (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher at Security > Options > External Redirection > Blacklisting for the blacklist category.
  12. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  13. Click the Update button.
    The sweep attack configuration is updated on the Device Protection screen.
Now you have configured the system to provide protection against DoS sweep attacks, to allow such attacks to be identified in system logs and reports, and to automatically add such attackers to a blacklist of your choice.
Configure flood attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against UDP flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for UDP flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Flood category.
  3. Click UDP Flood.
    The UDP Flood screen opens.
  4. Next to the DoS vector name, select Enforce.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the Rate Limit Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  8. Select Simulate Auto Threshold to log the results of the current automatic thresholds, when enforcing manual thresholds.
  9. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  10. In the Per Source IP Detection (PPS) field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  11. In the Per Source IP Rate Limit (PPS) field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  12. To change the threshold, rate increase, rate limit, and blacklist settings for a sweep attack, in the Network Attack Types area, click Edit in the far right column, select Sweep, and select the Enabled check box. Change the values for Threshold, Rate Increase, and Rate Limit in the associated fields.
    For example, to change the detection threshold for IP fragments to 9,999 per second, or an increase of 250% over the average, in Attack Types, click IP Fragment Flood, click the Enabled check box next to IP Fragment Flood, then set the Threshold field to 9999 and the Rate Increase field to 250. To rate limit such requests to 33,000 packets per second, set the Rate Limit field to 33000.
    The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: The Attack Types area allows you to configure the thresholds at which the firewall registers an attack. However, packets are dropped at the Rate Limit setting, not at the attack detection threshold.
  13. Select the Blacklist Address check box to enable automatic blacklisting.
  14. From the Blacklist Category list, select a black list category to apply to automatically blacklisted addresses.
  15. In the Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds). Enabled.
  16. In the Duration field, specify the amount of time in seconds that the address will remain on the blacklist. The default is 14400 (4 hours).
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher at Security > Options > External Redirection > Blacklisting for the blacklist category.
  18. From the Port List Type list, select Include All Ports or Exclude All Ports.
    An Include list checks all the ports you specify in the Port List, using the specified threshold criteria, and ignores all others.
    An Exclude list excludes all the ports you specify in the Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  19. In the UDP Port List area, type a port number to add to an exclude or include UDP port list.
  20. In the UDP Port List area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None does not include or exclude the port.
    • Source only includes or excluded the port from source packets only.
    • Destination only includes or excludes the port for destination packets only.
    • Both Source and Destination includes or excludes the port in both source and destination packets.
  21. Click the Update button.
    The UDP Flood attack configuration is updated on the DoS Device Configuration screen.
You have now configured the system to provide customized protection against UDP flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep and flood attack prevention, and configure any other DoS responses, in the DoS device configuration screens. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Allowing addresses to bypass global DoS checks

You can specify whitelist addresses that the DoS Device Configuration do not subject to DoS checks. Whitelist entries are specified on a security address list, and can be configured directly on the Device DoS Configuration screen.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Properties .
    The DoS Protection Device Configuration screen opens.
  2. In the Whitelist Address List field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  3. To define an address list to use as a whitelist, on the right side of the screen under Shared Objects, click the + under Address Lists.
    The Address List Properties pane opens at the bottom right of the screen.
  4. Type a Name for the address list.
  5. Optionally, type a Description for the address list.
  6. In the Contents field, type an address, and click Add.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  7. Click Update to update the address list.
    If this is a new address list, type and select the address list in the Whitelist Address List field.
  8. Click Commit Changes to System to commit the whitelist to the device configuration.
You have now specified a whitelist to bypass DoS checks for specific addresses globally.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information