Applies To:

Show Versions Show Versions

Manual Chapter: About DNS DoS Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About configuring the BIG-IP system to detect DNS DoS attacks

DNS DoS protection is enabled with the BIG-IP Protocol Security Manager module. DNS attack detection and prevention serves two functions:

  • To detect and automatically drop DNS packets that are malformed or contain errors.
  • To log unusual increases in DNS packets of any type, including packets that are malformed, packets that contain errors, or packets of any other type that appear to rapidly increase.

You can use the DNS DoS Protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular DNS query type, or an increase in anomalous packets. Later, you can use reporting or logging functions to detect such packets, and you can use the DNS Security profile to drop packets with specific query types or header opcodes.

Detecting and protecting against DNS denial of service attacks with a DoS profile

In this task, you create the DoS protection profile and configure DNS settings at the same time. However, you can configure DNS attack settings in a DoS profile that already exists.
The BIG-IP system handles DNS attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses. You can configure settings to identify DNS attacks with a DoS profile.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles. The DoS Profiles list screen opens.
  2. Click Create. The Create New DoS Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. To configure DNS security settings, next to Protocol Security (DNS), select Enabled.
  5. To enable attack detection based on the rate of DNS errors, next to Protocol Errors Attack Detection, select Enabled.
  6. In the Rate Increased by % field, type the rate of change in DNS errors to detect as anomalous. The rate of detection compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
  7. To change the threshold or rate increase for a particular DNS query type, in the DNS Query Attack Detection area, select the Enabled check box for each query type that you want to change, then change the values for Threshold and Rate Increase in the associated fields. For example, to change the threshold for IPv6 address requests, select the Enabled check box next to aaaa, then set the threshold for packets per second and the rate increase percentage to be considered an attack. The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: DNS Query Attack Detection allows you to configure the thresholds at which the firewall registers an attack. However, no packets are dropped if an attack is detected.
  8. Click Update to save your changes.
You have now configured a DoS protection profile to provide custom responses to malformed DNS attacks, and DNS flood attacks, and to allow such attacks to be identified in system logs and reports.
Associate the DoS protection profile with a virtual server to apply the settings in the profile to traffic on that virtual server. When a DNS attack on a specific query type is detected, you can configure the DNS security profile to drop packets of a query type that appears to be an attack vector.

Creating a custom DNS profile to firewall DNS traffic

Ensure that you have a DNS security profile created before you configure this system DNS profile.
You can create a custom DNS profile to configure the BIG-IP system firewall traffic through the system.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens.
  2. Click Create. The New DNS profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. From the DNS Security list, select Enabled.
  7. From the DNS Security Profile Name list, select the name of the DNS firewall profile.
  8. Click Finished.
Assign the custom DNS profile to the virtual server that handles the DNS traffic that you want to firewall.

Assigning a DNS profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the DNS Profile list, select the profile you want to assign to the virtual server.
  4. Click Update.
The virtual server now uses the DNS settings from the DNS Security profile.

Attaching denial of service detection to a virtual server

Create a DoS Protection Profile separately, to configure denial-of-service detection for applications and for the DNS protocol.
Add denial-of-service detection to a virtual server to provide enhanced protection for DoS attacks on a virtual server, and to more accurately track anomalous activity on a virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  4. On the Security tab, click Policies.
  5. To enable custom denial-of-service protection on the virtual server, next to DoS Protection Profile, select Enabled, then select the profile from the Profile list.
  6. Click Update.
DoS protection is now enabled, and the DoS protection policy is associated with the selected virtual server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)