Applies To:

Show Versions Show Versions

Manual Chapter: Advanced Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview

You can protect network resources from snooping clients or various Denial of Service (DoS) attacks.

Distributed Denial of Service protection

You can perform certain configuration tasks to prevent Distributed Denial of Service (DDoS) attacks on the BIG-IP system.

Configuring adaptive reaping

This procedure configures adaptive reaping. The adaptive connection reaper closes idle connections when memory usage on the BIG-IP system increases. This feature makes it possible for the BIG-IP system to aggressively reap connections when the system memory utilization reaches the low-water mark, and to stop establishing new connections when the system memory utilization reaches the high-water mark percentage.

If the BIG-IP platform includes an LCD panel, an adaptive reaping event causes the BIG-IP system to display the following message on the LCD panel: Blocking DoS attack
CAUTION:
The adaptive reaper settings do not apply to SSL connections. However, you can set TCP and UDP connection timeouts that reap idle SSL connections.
  1. On the Main tab, click System > Configuration. The General screen opens.
  2. From the Local Traffic menu, choose General.
  3. In the Properties area of the screen, set the Reaper High-water Mark property to 95.
  4. Set the Reaper Low-water Mark property to 85.
  5. Click Update.

When aggressive mode is activated on the BIG-IP system, the event is marked in the /var/log/ltm file with messages similar to these examples:

tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode activated. (117504/138240 pages) tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode deactivated. (117503/138240 pages)
Important: Setting both of the adaptive reaper values to 100 disables this feature.

SYN flood protection

A SYN flood is a type of Denial of Service attack in which an attacker sends a succession of SYN requests to a system with the intent of consuming available resources, thereby rendering the system unresponsive. To prevent flooding on the BIG-IP system and to preserve memory, you can adjust the SYN Check threshold.

Adjusting the SYN Check threshold

You can configure the SYN Check™ feature to prevent the BIG-IP SYN queue from becoming full during a SYN flood attack. The SYN Check Activation Threshold setting indicates the number of new or untrusted TCP connections that can be established before the BIG-IP activates the SYN Cookies authentication method for subsequent TCP connections.
  1. On the Main tab, click System > Configuration.
  2. From the Local Traffic menu, choose General.
  3. In the SYN Check Activation Threshold field, type the number of connections that you want to define for the threshold.
  4. Click Update.
If SYN flooding occurs, the BIG-IP system now protects the BIG-IP SYN queue from becoming full.

ICMP packet handling

One way to reduce the effect of Denial of Service attacks is to configure the way that the BIG-IP system handles ICMP packets.

Limiting ICMP responses

The TM.MaxICMPRate bigdb key can reduce the effects of a denial of service attack by allowing you to limit the number of responses that the BIG-IP system sends for ICMP errors and ICMP unreachable events.

The TM.MaxICMPRate bigdb key specifies a general rate limit applied to ICMP errors coming from servers back through the BIG-IP system to the clients. Each ICMP event must be associated with an established connection flow.

For example, if a virtual server connection generates ICMP unreachable responses from the pool member, the BIG-IP system passes the ICMP responses back to the clients until the number of ICMP messages reaches the value specified by the TM.MaxICMPRate bigdb key. Once the number of ICMP messages reaches this value, the BIG-IP stops sending ICMP responses.

At the tmsh prompt, type the following command: tmsh sys db TM.MaxICMPRate value The default value for the TM.MaxICMPRate bigdb key is 100. The minimum value allowed is 1 and the maximum value allowed is 1000.

Limiting ICMP unreachable packets

The TM.MaxRejectRate bigdb key can reduce the effects of a Denial of Service attack by allowing you to limit the number of ICMP unreachable packets that the BIG-IP system sends in response to incoming client-side or server-side packets that cannot be matched with existing connections to traffic management listener IP addresses, such as virtual servers or SNATs.

At the tmsh prompt, type this command: tmsh sys db TM.MaxRejectRate value The default value for the TM.MaxRejectRate bigdb key, in seconds, is 250. The minimum value allowed is 1 and the maximum value allowed is 1000.

When the TM.MaxRejectRate threshold has been exceeded for ICMP, the BIG-IP system stops sending ICMP unreachable packets in response to unmatched packets, and logs a message to the /var/log/ltm file that appears similar to the following example:

tmm tmm[1609]: 011e0001:4: Limiting icmp unreach response from 299 to 250 packets/sec

IPsec protocol configuration

You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP® system to another. More specifically, you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configure the IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy.

Note: Depending on your network topology, use of this feature is optional.

Creating an IKE peer

Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies to the system you are configuring the other BIG-IP system with which it communicates during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems.

Important: Perform this task on each BIG-IP system.
  1. On the Main tab, click Network > IPsec > IKE Peers.
  2. Click the Create button. The New IKE Peer screen opens.
  3. In the Name field, type a unique name for the IKE peer.
  4. In the Description field, type a brief description of the IKE peer.
  5. In the Remote Address field, type the IP address of the BIG-IP system that is remote to the system you are configuring. This address must match the value of the Tunnel Remote Address setting in the relevant IPsec policy.
  6. For the State setting, retain the default value, Enabled.
  7. For the IKE Phase 1 Algorithms area, retain the default values.
  8. For the IKE Phase 1 Credentials area, select one of the following:
    Option Description
    The default values The default authentication method is RSA signature.
    Important: If you have your own certificate file, key file, and certificate authority (CA), it is recommended for security purposes that you specify these files, using the Certificate, Key, and Trusted Certificate Authorities settings.
    The authentication method Preshared Key. This allows you to type a preshared key for use as the authentication method.
  9. For the Common Settings area, retain all default values.
  10. Click Finished. The page refreshes and displays the new IKE peer in the list.
You now have an IKE peer defined for establishing a secure channel.

Creating a bidirectional IPsec policy

Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.

Important: Perform this task on each BIG-IP® system.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. In the Description field, type a brief description of the policy.
  5. From the Mode list, select Tunnel. The screen refreshes to show the Tunnel Local Address and Tunnel Remote Address settings.
  6. In the Tunnel Local Address field, type the local IP address of the system you are configuring. Sample tunnel local addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Tunnel Local Address
    BIG-IP A 2.2.2.2
    BIG-IP B 3.3.3.3
  7. In the Tunnel Remote Address field, type the IP address that is remote to the system you are configuring. Sample tunnel remote addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Tunnel Remote Address
    BIG-IP A 3.3.3.3
    BIG-IP B 2.2.2.2
  8. For the Authentication Algorithm setting, retain the default value, AES-GCM128.
  9. For the Encryption Algorithm setting, retain the default value, AES-GCM128.
  10. For the Perfect Forward Secrecy setting, retain the default value, MODP1024.
  11. For the Lifetime setting, retain the default value, 1440. This is the length of time (in seconds) before the current security association expires.
  12. Click Finished. The screen refreshes and displays the new IPsec policy in the list.
You now have an IPsec policy for each IPsec traffic selector.

Creating a bidirectional IPsec traffic selector

Use this procedure to create an IPsec traffic selector that references a custom IPsec policy. The traffic selector you create filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
  1. On the Main tab, click Network > IPsec > Traffic Selectors.
  2. Click Create. The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. In the Description field, type a brief description of the traffic selector.
  5. For the Order setting, retain the default value (First).
  6. From the Configuration list, select Advanced.
  7. For the Source IP Address setting, click Host or Network, and in the Address field, type an IP address. This IP address should be the host or network address from which the application traffic originates. Sample source IP addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Source IP Address
    BIG-IP A 1.1.1.0/24
    BIG-IP B 4.4.4.0/24
  8. From the Source Port list, select a source port, or retain the default value *All Ports.
  9. For the Destination IP Address setting, click Host, and in the Address field, type an IP address. This IP address should be the final host or network address to which the application traffic is destined. Sample destination IP addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Destination IP Address
    BIG-IP A 4.4.4.0/24
    BIG-IP B 1.1.1.0/24
  10. From the Destination Port list, select a source port, or retain the default value * All Ports.
  11. From the Protocol list, select a protocol name. You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type a protocol name.
  12. From the Direction list, select Both.
  13. From the Action list, select Protect. The IPsec Policy Name setting appears.
  14. From the IPsec Policy Name list, select the name of the inbound IPsec policy that you previously created.
  15. Click Finished. The screen refreshes and displays the new IPsec traffic selector in the list.
You now have an IPsec traffic selector for each BIG-IP system.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)