Applies To:

Show Versions Show Versions

Manual Chapter: Preventing DoS Attacks for Layer 7 Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

What is a DoS attack?

A denial-of-service attack (DoS attack) makes a computer resource unavailable to its intended users, or obstructs the communication media between the intended users and the victim so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.

Denial-of-service attacks are also known as HTTP-GET attacks or page flood attacks.

HTTP-GET attacks
The attacks are initiated either from a single user (single IP address) or from thousands of computers (distributed DoS attack), which overwhelms the target system.
Page flood attacks
Page flood attacks (or HTTP flood attacks) may resemble the patterns of normal web surfing, making it harder for automated tools to differentiate between legitimate web traffic and an attempted attack.

About recognizing DoS attacks

Application Security Manager™ determines that traffic is a DoS attack based on calculations for transaction rates on the client side (TPS-based) or latency on the server side (latency-based). You can specify the calculations that you want the system to use.

Note: You can set up both methods of detection to work independently or you can set them up to work concurrently to simultaneously detect attacks on both the client side and server side.

You can view details about DoS attacks that the system detected and logged. You can also configure remote logging support for DoS attacks when creating a logging profile.

About configuring TPS-based DoS protection

When setting up DoS protection, you can configure the system to prevent DoS attacks based on transaction rates (TPS-based anomaly detection). If you choose TPS-based anomaly protection, the system detects DoS attacks from the client side using the following calculations:

Transaction rate during detection interval
The average number of requests per second sent for a specific URL, or by a specific IP address. Every second, the system calculates the average TPS for the last minute.
Note: The averages for IP address and URL counts are done for each virtual server, not each DoS L7 profile, in case one DoS L7 profile is assigned to more than one virtual server.
Transaction rate during history interval
The average number of requests per second sent for a specific URL, or by a specific IP address. The system calculates this number every minute.

If the ratio of the transaction rate during the detection interval to the transaction rate during the history interval is greater than the percentage indicated in the TPS increased by setting, the system considers the URL to be under attack, or the IP address to be suspicious.

About configuring latency-based DoS protection

When setting up DoS protection, you can configure the system to prevent DoS attacks based on server latency (latency-based anomaly detection). If you choose latency-based anomaly protection, the system detects DoS attacks from the server side using the following calculations:

Latency during detection interval
The average time it takes for the system to respond to a request for a specific URL over the last minute. The system calculates this number every second.
Note: The averages for IP address and URL counts are done for each virtual server, not each DoS L7 profile, in case one DoS L7 profile is assigned to more than one virtual server.
Latency during history interval
The average time it takes for the system to respond to a request for a specific URL over the last hour. The system calculates this number every minute.

If the ratio of the latency during the detection interval to the latency during the history interval is greater than the percentage in the Latency increased by setting, the system detects that this URL is under attack.

Overview: Preventing DoS attacks for Layer 7 traffic

You can configure the Application Security Manager™ to protect against L7 DoS attacks. Depending on your configuration, the system detects DoS attacks based on transactions per second (TPS) on the client side, or server latency, or both.

You configure DoS protection for Layer 7 by creating a DoS profile with Application Security enabled. You then associate the DoS profile with one or more virtual servers representing applications that you want to protect. DoS protection is not part of a security policy.

Task Summary

Configuring Layer 7 DoS protection

You can configure Application Security Manager™ to mitigate DoS attacks and increase system security.
  1. On the Main tab, click Security > DoS Protection. The DoS Profiles list screen opens.
  2. Click Create. The Create New DoS Profile screen opens.
  3. In the Profile Name field, type the name for the profile.
  4. Select the Application Security check box. The screen refreshes and displays additional configuration settings.
  5. If you have written an application DoS iRule to specify how the system handles a DoS attack and recovers afterwards, you may select the Trigger iRule setting.
  6. If you want to set up DoS protection from the client side, in the TPS-based Anomaly area, select an Operation Mode and set up TPS-based DoS protection. Another task describes how to configure the settings.
  7. If you want to set up DoS protection from the server side, in the Latency-based Anomaly area, select an Operation Mode and set up latency-based DoS protection. Another task describes how to configure the settings.
  8. To omit certain addresses, for the IP Address Whitelist setting, type IP addresses or subnets that do not need to be examined for DoS attacks, and click Add.
    Note: You can add up to twenty IP addresses.
  9. Click Finished to save the DoS profile.
You have created a DoS profile.
Next, configure TPS-based or latency-based DoS protection settings, or both.

Configuring TPS-based DoS protection settings

You can configure Application Security Manager™ to mitigate DoS attacks based on transaction rates using TPS-based DoS protection.
  1. On the Main tab, click Security > DoS Protection. The DoS Profiles list screen opens.
  2. Click the name of an existing DoS profile (or create a new one). The DoS Profile Properties screen opens.
  3. Select the Application Security check box. The screen refreshes and displays additional configuration settings.
  4. In the TPS-based Anomaly area, for Operation Mode, select an operation mode.
    Option Description
    Transparent Displays information about DoS attacks on the DoS: Application reporting screen but does not block requests.
    Blocking Drops connections coming from an attacking IP address and requests to attacked URLs. Also displays information about DoS attacks on the DoS: Application reporting screen.
    The screen refreshes to display additional configuration settings when you select an operation mode.
  5. For the Prevention Policy setting, select one or more options to determine how the system handles a DoS attack.
    Note: If you enable more than one option, the system uses the options in the order in which they are listed.
    Option Description
    Source IP-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious IP addresses are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    URL-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious URLs are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. This setting enforces strong protection and prevents distributed DoS attacks but affects more clients. The default is disabled.
    Source IP-Based Rate Limiting Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.
    URL-Based Rate Limiting Indicates that when the system detects a URL under attack, Application Security Manager drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.
  6. For IP Detection Criteria, modify the threshold values as needed.
    Note: This setting appears only if Prevention Policy is set to Source IP-Based Client Side Integrity Defense and/or Source IP-Based Rate Limiting.
    If any of these criteria is met, the system handles the attack according to the Prevention Policy settings.
    Option Description
    TPS increased by Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage. The default value is 500%.
    TPS reached Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the TPS increased by threshold and would not be detected. If the TPS reaches the TPS reached value, the system considers traffic to be an attack even if it did not meet the TPS increased by value. The default value is 200 TPS.
    Minimum TPS Threshold for detection Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the TPS increased by number was reached. The default setting is 40 transactions per second.
    Tip: Click the Set default criteria link to reset these settings to their default values.
  7. For the Prevention Duration setting, specify the length of time for which the system mitigates DoS attacks:
    • To perform attack prevention until the system detects the end of the attack, select Unlimited.
    • To limit the amount of time for attack prevention, select Maximum and type a value, in seconds. The system prevents detected DoS attacks for the time configured here (even if the attack is still occurring), or until the system detects the end of the attack, whichever is sooner.
  8. Click Update to save the DoS profile.
You have now configured a DoS profile to prevent DoS attacks based on the client side (TPS-based Detection Mode).
Next, you need to associate the DoS profile with the application’s virtual server.

Configuring latency-based DoS protection

You can configure Application Security Manager™ to mitigate Layer 7 DoS attacks based on server latency.
  1. On the Main tab, click Security > DoS Protection. The DoS Profiles list screen opens.
  2. Click the name of an existing DoS profile (or create a new one). The DoS Profile Properties screen opens.
  3. Select the Application Security check box. The screen refreshes and displays additional configuration settings.
  4. In the Latency-based Anomaly area, for Operation Mode, select an operation mode.
    Option Description
    Transparent Displays information about DoS attacks on the DoS: Application reporting screen but does not block requests.
    Blocking Drops connections coming from an attacking IP address and requests to attacked URLs. Also displays information about DoS attacks on the DoS: Application reporting screen.
    The screen refreshes to display additional configuration settings when you select an operation mode.
  5. For Detection Criteria, modify the threshold values as needed. If any of these criteria is met, the system handles the attack according to the Prevention Policy settings.
    Option Description
    Latency increased by Specifies that the system considers traffic to be an attack if the minimum latency threshold was reached and the latency has increased by this percentage. The default value is 500%.
    Latency reached Specifies that the system considers traffic to be an attack if the latency is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases latency gradually, the increase might not exceed the Latency Increased by threshold and would not be detected. If server latency reaches the Latency reached value, the system considers traffic to be an attack even if it did not meet the Latency increased by value. The default value is 10000 ms.
    Minimum Latency Threshold for detection Specifies that the system considers traffic to be an attack if the detection interval for a specific URL equals, or is greater than, this number, and at least one of the Latency increased by numbers was reached. The default setting is 200 ms.
    Tip: Click the Set default criteria link to reset these settings to their default values.
  6. For the Prevention Policy setting, select one or more options to determine how the system handles a DoS attack.
    Note: If you enable more than one option, the system uses the options in the order in which they are listed.
    Option Description
    Source IP-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious IP addresses are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    URL-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious URLs are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. This setting enforces strong protection and prevents distributed DoS attacks but affects more clients. The default is disabled.
    Source IP-Based Rate Limiting Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.
    URL-Based Rate Limiting Indicates that when the system detects a URL under attack, Application Security Manager drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.
  7. For Suspicious IP Criteria, modify the threshold values as needed.
    Note: This setting appears only if Prevention Policy is set to Source IP-Based Client Side Integrity Defense and/or Source IP-Based Rate Limiting.
    Option Description
    TPS increased by Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage. The default value is 500%.
    TPS reached Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the TPS increased by threshold and would not be detected. If the TPS reaches the TPS reached value, the system considers traffic to be an attack even if it did not meet the TPS increased by value. The default value is 200 TPS.
    Minimum TPS Threshold for detection Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the TPS increased by number was reached. The default setting is 40 transactions per second.
    If any of these criteria is met, the system handles the attack according to the Prevention Policy settings.
  8. For Suspicious URL Criteria, modify the threshold values as needed.
    Note: This setting appears only if Prevention Policy is set to URL-Based Client Side Integrity Defense and/or URL-Based Rate Limiting.
    Option Description
    TPS increased by Specifies that the system considers a URL to be that of an attacker if the transactions sent per second sent to the URL have increased by this percentage. The default value is 500%.
    TPS reached Specifies that the system considers a URL to be suspicious if the number of transactions sent per second to the URL is equal to or greater than this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the TPS increased by threshold and would not be detected. If the TPS reaches the TPS reached value, the system considers traffic to be an attack even if it did not meet the TPS increased by value. The default value is 1000 TPS.
    Minimum TPS Threshold for detection Specifies that the system considers a URL to be an attacker if the detected TPS for a specific URL equals, or is greater than, this number, and the TPS increased by number was reached. The default setting is 40 transactions per second.
    If any of these criteria is met, the system handles the attack according to the Prevention Policy settings.
  9. For the Prevention Duration setting, specify the length of time for which the system mitigates DoS attacks:
    • To perform attack prevention until the system detects the end of the attack, select Unlimited.
    • To limit the amount of time for attack prevention, select Maximum and type a value, in seconds. The system prevents detected DoS attacks for the time configured here (even if the attack is still occurring), or until the system detects the end of the attack, whichever is sooner.
  10. Click Update to save the DoS profile.
You have now configured a DoS profile to prevent DoS attacks based on server latency.
Next, associate the DoS profile with the application’s virtual server.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol.
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  4. From the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Displaying DoS event logs

You can display DoS Application event logs to see whether L7 DoS attacks have occurred, and view information about the attacks.
  1. On the Main tab, click Security > Event Logs > DoS > Application. The DoS Application event log opens.
  2. Review the list of DoS attacks to see what has occurred, what mitigation is in place, and what caused the attacks.
  3. Click the Attack ID link for an attack to display additional information in a chart form.

Viewing L7 DoS attack reports

Before you can look at the DoS attack statistics, you need to have created a DoS profile so that the system is capturing the analytics on the BIG-IP® system. You must associate the DoS profile with one or more virtual servers. If your browser is IE8 or earlier, you need to have Adobe Flash Player installed on the computer where you plan to review the data.
You can display charts that show information about DoS attacks. The charts provide visibility into what caused the attack, IP addresses of the attackers, which applications are being attacked, and how the attacks are being mitigated.
  1. On the Main tab, click Security > Reporting > DoS. The DoS Application reporting screen opens.
  2. From the View By list, select the way you want to view information about DoS attacks. For example, click Client IP Addresses to see the IP addresses from which the attacks are emanating.
  3. If you want to filter the information that displays further, click Expand Advanced Filters and select the details you want to see.
  4. To focus in on the specific details you want more information about, point to the chart or click it. The system displays information about the item.
You can continue to review the details about DoS attacks on the reporting screens. As a result, you become more familiar with what caused the attacks, what applications are most vulnerable, and see the mitigation methods that are in place.

Implementation Result

When you have completed the steps in this implementation, you have configured the Application Security Manager™ to protect against L7 DoS attacks. Depending on your configuration, the system detects DoS attacks based on transactions per second (TPS) on the client side, server latency, or both.

In TPS-based detection mode, if the ratio of the transaction rate during the history interval is greater than the TPS increased by percentage, the system considers the URL to be under attack, or the IP address to be suspicious.

In latency-based detection mode, if the ratio of the transaction rate during the history interval is greater than the Latency increased by percentage, the system considers the URL to be under attack, or the IP address to be suspicious.

If you chose the blocking operation mode, the system drops requests from suspicious IP addresses and URLs. If using the transparent operation mode, the system reports DoS attacks but does not block them.

After traffic is flowing to the system, you can check whether DoS attacks are being prevented, and investigate them by viewing DoS event logs and reports.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)