You can configure DNS attack settings in a DoS profile that already exists.
The BIG-IP® system handles DNS attacks that use malformed
packets, protocol errors, and malicious attack vectors. Protocol error attack detection
settings detect malformed and malicious packets, or packets that are employed to flood
the system with several different types of responses, by detecting packets per second
and detecting percentage increase in packets over time. You can configure settings to
identify and rate limit possible DNS attacks with a DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The New DoS Profile screen opens.
-
In the Name field, type the name for the profile.
-
Click Finished.
The DoS Protection: DoS Profiles screen opens.
-
Click the profile name you configured to open the DoS Profile settings
screen.
-
Select the Threshold Sensitivity.
Select Low, Medium, or
High. A lower setting means the automatic threshold
algorithm is less sensitive to changes in traffic and CPU usage, but will also
trigger fewer false positives.
-
In the Whitelist Address List field, begin typing the
name of the address list to use as the whitelist, and select the address list
when the name appears.
-
To configure DNS security settings, click Protocol
Security, and choose DNS Security .
-
To configure enforcement and settings for a DNS vector, in the
Attack Type column, click the vector name.
-
Next to the DoS vector name, choose the enforcement option.
- Select
Enforce to enforce the DoS vector with the
settings you configure or with automatic settings.
- Select Don't
Enforce to configure the vector and log the results of the
vector you configure or the automatic settings, without applying rate limits
or other actions.
- Select
Disable to disable logging and enforcement of the
DoS vector.
-
To allow the DoS vector thresholds to be automatically adjusted, select
Auto-Threshold Configuration.
-
If you use the Auto-Threshold Configuration, in the
Attack Floor PPS field, specify the number of packets
per second of the vector type to allow at a minimum, before automatically
calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this
setting defines the minimum packets allowed before automatic thresholds are
calculated.
-
If you use the Auto-Threshold Configuration, in the Attack Ceiling
PPS field, specify the absolute maximum allowable for packets of
this type before automatically calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this
setting rate limits packets to the packets per second setting, when specified.
To set no hard limit, set this to Infinite.
-
To configure DoS vector thresholds manually, select Manual
Configuration.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second)
for the attack detection threshold. If packets of the specified types cross
the threshold, an attack is logged and reported. The system continues to
check every second, and registers an attack for the duration that the
threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Detection Threshold Percent list, select
Specify or Infinite.
- Use
Specify to set a value (in percentage of traffic)
for the attack detection threshold. If packets of the specified types cross
the percentage threshold, an attack is logged and reported. The system
continues to check every second, and registers an attack for the duration
that the threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Rate Limit Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second),
which cannot be exceeded by packets of this type. All packets of this type
over the threshold are dropped. Rate limiting continues until the rate no
longer exceeds.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.
-
Select Simulate Auto Threshold to log the results of the
current automatic thresholds, when enforcing manual thresholds.
-
To detect IP address sources from which possible attacks originate, enable
Bad Actor Detection.
Note: Bad Actor
Detection is not available for every vector.
-
In the Per Source IP Detection (PPS) field, specify the
number of packets of this type per second from one IP address that identifies
the IP source as a bad actor, for purposes of attack detection and logging.
-
In the Per Source IP Rate Limit (PPS) field, specify the
number of packets of this type per second from one IP address, above which rate
limiting or leak limiting occurs.
-
Select the Blacklist Address check box to enable
automatic blacklisting.
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
In the Detection Time field, specify the duration in
seconds after which the attacking endpoint is blacklisted. By default, the
configuration adds an IP address to the blacklist after one minute (60 seconds).
Enabled.
-
In the Duration field, specify the amount of time in
seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisement.
Note: To advertise to
edge routers, you must configure a Blacklist Publisher at for the blacklist category.
-
Click Update to save your changes.
You have now configured a DoS
Protection profile to provide custom responses to malicious DNS protocol attacks, to
allow such attacks to be identified in system logs and reports, and to allow rate
limiting and other actions when such attacks are detected. DNS queries on particular
record types you have configured in the DNS Query Attack Detection area are detected as
attacks at your specified thresholds and rate increases, and rate limited as
specified.
Associate a DNS profile with a virtual server to enable the virtual server to
handle DNS traffic. Associate the DoS Protection profile with a virtual server to apply
the settings in the profile to traffic on that virtual server.