You can protect network resources from snooping clients or various Denial of Service (DoS) attacks.
You can perform certain configuration tasks to prevent Distributed Denial of Service (DDoS) attacks on the BIG-IP system.
This procedure configures adaptive reaping. The adaptive connection reaper closes idle connections when memory usage on the BIG-IP system increases. This feature allows the BIG-IP system to aggressively reap connections when the system memory utilization reaches the low-water mark, and to stop establishing new connections when the system memory utilization reaches the high-water mark percentage.
When aggressive mode is activated on the BIG-IP system, the event is marked in the /var/log/ltm file with messages similar to these examples:tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode activated. (117504/138240 pages) tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode deactivated. (117503/138240 pages)
A SYN flood is a type of Denial of Service attack in which an attacker sends a succession of SYN requests to a system with the intent of consuming available resources, thereby rendering the system unresponsive. To prevent flooding on the BIG-IP system and to preserve memory, you can adjust the SYN Check threshold.
One way to reduce the effect of Denial of Service attacks is to configure the way that the BIG-IP system handles ICMP packets.
The TM.MaxICMPRate bigdb key can reduce the effects of a denial of service attack by allowing you to limit the number of responses that the BIG-IP system sends for ICMP errors and ICMP unreachable events.
The TM.MaxICMPRate bigdb key specifies a general rate limit applied to ICMP errors coming from servers back through the BIG-IP system to the clients. Each ICMP event must be associated with an established connection flow.
For example, if a virtual server connection generates ICMP unreachable responses from the pool member, the BIG-IP system passes the ICMP responses back to the clients until the number of ICMP messages reaches the value specified by the TM.MaxICMPRate bigdb key. Once the number of ICMP messages reaches this value, the BIG-IP stops sending ICMP responses.
The TM.MaxRejectRate bigdb key can reduce the effects of a Denial of Service attack by allowing you to limit the number of ICMP unreachable packets that the BIG-IP system sends in response to incoming client-side or server-side packets that cannot be matched with existing connections to traffic management listener IP addresses, such as virtual servers or SNATs.
When the TM.MaxRejectRate threshold has been exceeded for ICMP, the BIG-IP system stops sending ICMP unreachable packets in response to unmatched packets, and logs a message to the /var/log/ltm file that appears similar to the following example:tmm tmm: 011e0001:4: Limiting icmp unreach response from 299 to 250 packets/sec
You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP® system to another. More specifically, you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configure the IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy.
Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies to the system you are configuring the other BIG-IP system with which it communicates during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems.
|The default values||The default authentication method is RSA signature.
Important: If you have your own certificate file, key file, and certificate authority (CA), it is recommended for security purposes that you specify these files, using the Certificate, Key, and Trusted Certificate Authorities settings.
|The authentication method Preshared Key.||This allows you to type a preshared key for use as the authentication method.|
Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.
|System Name||Tunnel Local Address|
|System Name||Tunnel Remote Address|
|System Name||Source IP Address|
|System Name||Destination IP Address|