Applies To:

Show Versions Show Versions

Manual Chapter: About System DoS and DDoS Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

DoS and DDoS attack detection and prevention is enabled by the BIG-IP Advanced Firewall Module (AFM). DoS and DDoS detection and prevention serves two functions.

  • To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.
  • To determine unusual increases in packets of specific types that are known attack vectors. Possible attack vectors are tracked over the past hour, and current possible attacks are compared to the average of that hour.

You can configure a BIG-IP device to detect all system-supported DoS attacks at levels that you specify.

Detecting and protecting against DoS and DDoS attacks

The BIG-IP system handles DoS and DDoS attacks with preconfigured responses. With the DoS Protection Device Configuration, you set detection thresholds and internal rate limits for a range of DoS and DDoS attack vectors.
  1. On the Main tab, click Security > DoS Protection > Device Configuration. The DoS Protection Device Configuration screen opens.
  2. If you are using remote logging, from the Log Publisher list, select a destination to which the BIG-IP system sends DoS and DDoS log entries.
  3. In the Attack Type column, click the name of any attack type to edit the settings. The configuration page for the particular attack appears.
  4. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value, in packets per second, for the attack detection threshold. If packets of this type cross the threshold, an attack is logged and reported. The system continues to check every second, and marks the threshold as an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  5. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set the percentage increase value, that specifies an attack is occurring. The system compares the current rate to an average rate from the last hour. For example, if the average rate for the last hour is 1000 packets per second, and you set the percentage increase threshold to 100, an attack is detected at 100 percent above the average, or 2000 packets per second. When the threshold is passed, an attack is logged and reported. The system then automatically institutes a rate limit equal to the average for the last hour, and all packets above that limit are dropped. The system continues to check every second until the incoming packet rate drops below the percentage increase threshold. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is never logged or reported.
  6. From the Default Internal Rate Limit list, select Specify or Infinite.
    • Use Specify to set a value, in packets per second, which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate drops below the specified limit again.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. Click the Update button. The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  8. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)