Applies To:

Show Versions Show Versions

Manual Chapter: Managing DoS Profiles in Shared Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About DoS profiles

The DoS Profiles panel in Shared Security lists configured DoS profiles.

Using BIG-IQ® Security, you can configure profiles to detect and protect against DoS (Denial of Service) attacks.

DoS attack detection and prevention serves the following functions:

  • It detects and automatically drops packets that are malformed or contain errors.
  • It logs unusual increases in packets of any type, including packets that are malformed, packets that contain errors, or packets of any other type that appear to rapidly increase.

You can use the DoS Protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular query type, or an increase in anomalous packets. Additionally, you can use reporting or logging functions to detect such packets.

You can enable Layer 7 application DoS protection of HTTP traffic, Layer 7 DoS protection for SIP traffic, and Layers 2-4 application DNS DoS security.

To cancel any operation without saving and close the panel, click Cancel.

To get help on any panel, click the (?) icon in the upper right corner.

Adding DoS profiles

Hover over the DoS Profiles header, click the (+) icon when it appears, and click New DoS Profile. The panel expands to display the new DoS Profile screen.

Editing DoS profiles

Hover over the DoS profile header you want to edit, and when the gear icon appears, select Properties to expand the panel.

Considerations when using Bot Signatures on a BIG-IP device or Proactive Bot on a BIG-IQ system

When using Bot Signatures, Bot Signature Categories, or Proactive Bot parameters, be aware of the following:

  • If you enable and modify the default values for the Bot Signatures or Bot Signature Categories settings on a version 12.0 BIG-IP device, and then attempt to discover that BIG-IP device using a BIG-IQ system, the discovery will fail because the BIG-IQ system only supports the default values for these parameters.
  • If on the BIG-IQ system you enable the Proactive Bot setting on the Application Security tab of the DoS Profiles panel, this also enables the Bot Signatures and Bot Signature Categories settings, which are not visible on the BIG-IQ system. If this configuration is then deployed to a version 12.0 BIG-IP device, the Bot Signatures and Bot Signature Categories will be successfully deployed with default values along with the Proactive Bot settings.

Adding DoS Profiles

Use the New DoS Profiles panel to configure a new DoS profile.

Note: Depending on the settings you configure, you may see only some of the screen elements described here.

Adding DoS profiles

  1. Hover over the Dos Profiles header.
  2. When the + icon appears, click it to create a new profile. The panel expands to display the New DoS Profile panel and the Properties tab.
  3. In the New DoS Profile properties tab, add and set the properties as appropriate.
    Property Description
    Name Specify a unique user-provided name for the DoS profile. Required.
    Description Specify an optional description for the DoS profile.
    Partition Specify the partition to which the DoS profile belongs. Only users with access to a partition can view the objects (such as the DoS profile) that it contains. If the DoS profile resides in the Common partition, all users can access it. Although this field is pre-populated with Common (default), you can set the partition when creating DoS profiles by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
  4. Select Enabled to the right of one or more protection types to enable those types. A configuration tab is added dynamically when a protection type is selected.
    Property Description
    Application Security When enabled, protects your web application against DoS attacks.

    Click the Application Security tab to configure the protection type. Supply or modify any necessary property values. For setting details, consult the following sections.

    Protocol DNS When enabled, protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature.

    Click the Protocol DNS tab to configure the protection type. Supply or modify any necessary property values. For setting details, consult the following sections.

    Protocol SIP When enabled, protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.

    Click the Protocol SIP tab to configure the protection type. For setting details, consult the following sections.

    Network When enabled, protects your server against network DoS attacks.

    Click the Network tab to configure the protection type. Supply or modify any necessary property values. For setting details, consult the following sections.

  5. When finished, click Add.

Configuring for application security

In this set of tabs, configure how the system determines your application is under a DoS attack, and how the system reacts to a suspected attack.
Property Description
General Settings tab
  • Trigger iRule. Enable this setting if you have an iRule that manages DoS events in a customized manner. When enabled, specifies that the system activates an Application DoS iRule event. The default is disabled. You should enable this setting if you write an iRule that tells the system how to manage after a DoS attack.
  • IP Whitelist. Specifies IP addresses, including subnet masks, that the system considers legitimate and does not examine when performing DoS prevention. Note: After you add an IP address to this whitelist, the system automatically adds this IP address to all Anomaly Detection whitelists, and to the IP Address Exceptions list.
  • Geolocation. Overrides the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack. Select countries from the Available Geolocations list that you want to add to the blacklist or whitelist.
Proactive Bot Defense tab
  • Operation Mode. Specifies the conditions under which bots are detected and blocked.
  • Blocks requests from suspicious browsers. Strengthen the bot defense by blocking suspicious browsers. Highly suspicious browsers are completely blocked, while moderately suspicious browsers are challenged with CAPTCHA.
  • Grace Period. gives time for browsers to be validated as non-bots. During this period, requests that were not validated as are not blocked.
  • Cross-Domain Requests. Additional security can be added by allowing only the configured domains to reference resources of the site.
  • URL Whitelist. Example: /index.html. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation.
TPS-based Detection tab In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage you configure on this tab (the TPS increased by percentage), the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. To stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
  • Operation Mode. Specifies how the system reacts when it detects an attack.
  • Source IP Based. Specifies the criteria that determine when the system treats the IP address as an attacker. If these thresholds are reached, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Geolocation Based. Specifies that if both the criteria are met, the system treats the country as an attacker. If these values are reached, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page. The settings exclude black-listed and white-listed geolocations.
  • URL Based. Specifies the criteria that determine when the system treats a URL to be under attack. If requests for URLs meet either of the conditions in these settings, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Site-wide. Specifies the criteria that determine when the system treats an entire website as being under attack. The system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Prevention Duration. Specifies the time spent in each mitigation step until deciding to move to the next mitigation step.
Stress-based Detection tab In this tab, configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed, or the system found a behavioral anomaly.
  • Operation Mode. Specifies how the system reacts when it detects an attack.
  • Source IP Based. Specifies the criteria under which the system treats the IP address as suspicious (suspects the IP address to be an attacker). If an attack is detected according to the detection criteria, IP rate limiting will be done on the suspicious IP addresses. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers an IP as an attacking entity if either conditions occurs.
  • Geolocation Based. Specifies the conditions under which the system considers requests from a country to be suspicious. The system performs mitigation methods on traffic from suspicious countries if at least one By Geolocation mitigation method is enabled and both conditions are met. The settings exclude blacklisted and whitelisted geolocations.
  • URL Based. Specifies the criteria that determine when the system suspects the URL to be attacked. If an attack is detected according to the detection criteria, URL rate limiting will be done on the suspicious URLs. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers a URL as an attacked entity if either condition occurs.
  • Site-wide.
  • Prevention Duration. Specifies the time spent in each mitigation step until deciding to move to the next mitigation step
Heavy URL Protection tab
  • Heavy URL Protection. Enables the protection of Heavy URLs during DoS attacks.
  • Automatic Detection. When enabled, the system will automatically detect heavy URLs of the application, in addition to the URLs entered manually.
  • Latency Threshold. When enabled, the system will automatically detect heavy URLs of the application, in addition to the URLs entered manually.
  • Heavy URLs. Example: /index.html. Configures a list of Heavy URLs to protect, in addition to the automatically detected ones.
  • Ignored URLs. Configures a list of URLs which are excluded from being automatically detected as Heavy URLs. Wildcards are supported.
Record Traffic tab Enables the recording of traffic (by performing a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
  • Record Traffic During Attacks. Specifies when enabled that the system records traffic when a DoS attack is underway. The system records traffic during DoS attacks on the virtual server in which the attack was detected. The TCP dump files can be collected into the QuickView file so that F5 support can use it for solving customer cases. The files are located in the system in the following file path: /shared/dosl7/tcpdumps, and have a pcap extension. The default value is disabled. Note that SSL traffic is recorded encrypted.
  • Maximum TCP Dump Duration. Displays the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default value is 30 seconds.
  • Maximum TCP Dump Size. Displays the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default value is 10 MB.
  • TCP Dump Repetition. Specifies whether the system performs one dump for each DoS attack, or multiple dumps.

Configuring Protocol DNS security settings

In this tab, configure the conditions under which the system determines that your DNS server is under a DoS attack.
Property Description
Protocol Errors Attack Detection Select Enable to configure.
Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
Rate Limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
DNS Query Attack Detection The dropdown lists commonly known DNS query types that you want the system to detect in packets. From the dropdown, select a query type and click Add. Then, specify threshold, rate increase, and rate limit for the particular query.

Configuring Protocol SIP security settings

In this tab, configure the conditions under which the system determines that your server, running the SIP protocol, is under a DoS attack.
Property Description
Protocol Errors Attack Detection When enabled, specifies that the system detects SIP attacks based on a high volume of protocol errors, and displays both how many packets with errors per second are allowed before the system tracks SIP traffic anomalies, and in percentage, how much of an increase in SIP traffic with errors is legal before the system tracks SIP traffic anomalies.
Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
Rate Limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
SIP Method Attack Detection The dropdown lists commonly known SIP method types that you want the system to detect in packets. From the dropdown, select a method type and click Add. Then, specify threshold, rate increase, and rate limit for the particular method type.

Configuring network security settings

In this tab, configure the conditions under which the system determines that your server is under a network DoS attack.
Property Description
Protocol Errors Attack Detection When enabled, specifies the conditions under which the system determines that your server is under a network DoS attack.
Attack Type The dropdown lists commonly known attack types. From the dropdown, select network DoS attack types. Then, you can determine thresholds, rate increases, and rate limits for each of the following attack types:
  • Threshold. Specifies the number of packets per second, averaged over the previous minute, that must be exceeded in order to indicate to the system that there is an attack. The default setting is 1000 packets per second.
  • Rate Increase. Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
  • Rate Limit. Specifies the absolute limit of such packets allowed per second.

Managing DoS profiles

The DoS profile is used to fine tune both the circumstances under which the system considers traffic to be a DoS attack, and how the system handles a DoS attack.

Note: Depending on the settings you configure, you may see only some of the screen elements described here.

Editing DoS profiles

From the DoS Profiles panel, you can edit DoS profile properties.

  1. Hover over the DoS profile that you want to edit,click the gear icon, and select Properties to expand the panel.
  2. Click Edit to lock the DoS profile for editing and make it possible to edit the values on the property page.
  3. Edit the properties as appropriate.
    Property Description
    Name Specifies a name for the DoS profile and cannot be modified.
    Description Specify an optional description for the DoS profile.
    Partition Specifies the partition to which the DoS profile belongs. Only users with access to a partition can view the objects (such as the DoS profile) that it contains. If the DoS profile resides in the Common partition, all users can access it. Although this field is pre-populated with Common (default), you can set the partition when creating DoS profiles by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
  4. Modify or add to the protection types enabled. Select Enabled to the right of a protection type to enable it. A configuration tab is added dynamically when a protection type is enabled. Click the tab to configure the protection type.
    Property Description
    Application Security When enabled, protects your web application against DoS attacks.

    Click the Application Security tab to configure property values. For setting details, consult the following sections.

    Protocol DNS When enabled, protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature.

    Click the Protocol DNS tab to configure property values. For setting details, consult the following sections.

    Protocol SIP When enabled, protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.

    Click the Protocol SIP tab to configure property values. For setting details, consult the following sections.

    Network When enabled, protects your server against network DoS attacks.

    Click the Network tab to configure property values. For setting details, consult the following sections.

  5. Click Save to save your changes as you go.
  6. When finished, click Save and Close to save changes, release the lock, and exit the panel.

Configuring for application security

In this set of tabs, configure how the system determines your application is under a DoS attack, and how the system reacts to a suspected attack.
Property Description
General Settings tab
  • Trigger iRule. Enable this setting if you have an iRule that manages DoS events in a customized manner. When enabled, specifies that the system activates an Application DoS iRule event. The default is disabled. You should enable this setting if you write an iRule that tells the system how to manage after a DoS attack.
  • IP Whitelist. Specifies IP addresses, including subnet masks, that the system considers legitimate and does not examine when performing DoS prevention. Note: After you add an IP address to this whitelist, the system automatically adds this IP address to all Anomaly Detection whitelists, and to the IP Address Exceptions list.
  • Geolocation. Overrides the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack. Select countries from the Available Geolocations list that you want to add to the blacklist or whitelist.
Proactive Bot Defense tab
  • Operation Mode. Specifies the conditions under which bots are detected and blocked.
  • Blocks requests from suspicious browsers. Strengthen the bot defense by blocking suspicious browsers. Highly suspicious browsers are completely blocked, while moderately suspicious browsers are challenged with CAPTCHA.
  • Grace Period. gives time for browsers to be validated as non-bots. During this period, requests that were not validated as are not blocked.
  • Cross-Domain Requests. Additional security can be added by allowing only the configured domains to reference resources of the site.
  • URL Whitelist. Example: /index.html. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation.
TPS-based Detection tab In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage you configure on this tab (the TPS increased by percentage), the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. To stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
  • Operation Mode. Specifies how the system reacts when it detects an attack.
  • Source IP Based. Specifies the criteria that determine when the system treats the IP address as an attacker. If these thresholds are reached, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Geolocation Based. Specifies that if both the criteria are met, the system treats the country as an attacker. If these values are reached, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page. The settings exclude black-listed and white-listed geolocations.
  • URL Based. Specifies the criteria that determine when the system treats a URL to be under attack. If requests for URLs meet either of the conditions in these settings, the system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Site-wide. Specifies the criteria that determine when the system treats an entire website as being under attack. The system prevents further attacks by limiting the number of requests per second to the history interval. The system does not return the blocking response page.
  • Prevention Duration. Specifies the time spent in each mitigation step until deciding to move to the next mitigation step.
Stress-based Detection tab In this tab, configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed, or the system found a behavioral anomaly.
  • Operation Mode. Specifies how the system reacts when it detects an attack.
  • Source IP Based. Specifies the criteria under which the system treats the IP address as suspicious (suspects the IP address to be an attacker). If an attack is detected according to the detection criteria, IP rate limiting will be done on the suspicious IP addresses. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers an IP as an attacking entity if either conditions occurs.
  • Geolocation Based. Specifies the conditions under which the system considers requests from a country to be suspicious. The system performs mitigation methods on traffic from suspicious countries if at least one By Geolocation mitigation method is enabled and both conditions are met. The settings exclude blacklisted and whitelisted geolocations.
  • URL Based. Specifies the criteria that determine when the system suspects the URL to be attacked. If an attack is detected according to the detection criteria, URL rate limiting will be done on the suspicious URLs. The system prevents the attack by limiting the number of requests per second. The system does not return the blocking response page. The system considers a URL as an attacked entity if either condition occurs.
  • Site-wide.
  • Prevention Duration. Specifies the time spent in each mitigation step until deciding to move to the next mitigation step
Heavy URL Protection tab
  • Heavy URL Protection. Enables the protection of Heavy URLs during DoS attacks.
  • Automatic Detection. When enabled, the system will automatically detect heavy URLs of the application, in addition to the URLs entered manually.
  • Latency Threshold. When enabled, the system will automatically detect heavy URLs of the application, in addition to the URLs entered manually.
  • Heavy URLs. Example: /index.html. Configures a list of Heavy URLs to protect, in addition to the automatically detected ones.
  • Ignored URLs. Configures a list of URLs which are excluded from being automatically detected as Heavy URLs. Wildcards are supported.
Record Traffic tab Enables the recording of traffic (by performing a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
  • Record Traffic During Attacks. Specifies when enabled that the system records traffic when a DoS attack is underway. The system records traffic during DoS attacks on the virtual server in which the attack was detected. The TCP dump files can be collected into the QuickView file so that F5 support can use it for solving customer cases. The files are located in the system in the following file path: /shared/dosl7/tcpdumps, and have a pcap extension. The default value is disabled. Note that SSL traffic is recorded encrypted.
  • Maximum TCP Dump Duration. Displays the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default value is 30 seconds.
  • Maximum TCP Dump Size. Displays the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default value is 10 MB.
  • TCP Dump Repetition. Specifies whether the system performs one dump for each DoS attack, or multiple dumps.

Configuring Protocol DNS security settings

In this tab, configure the conditions under which the system determines that your DNS server is under a DoS attack.
Property Description
Protocol Errors Attack Detection Select Enable to configure.
Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
Rate Limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
DNS Query Attack Detection The dropdown lists commonly known DNS query types that you want the system to detect in packets. From the dropdown, select a query type and click Add. Then, specify threshold, rate increase, and rate limit for the particular query.

Configuring Protocol SIP security settings

In this tab, configure the conditions under which the system determines that your server, running the SIP protocol, is under a DoS attack.
Property Description
Protocol Errors Attack Detection When enabled, specifies that the system detects SIP attacks based on a high volume of protocol errors, and displays both how many packets with errors per second are allowed before the system tracks SIP traffic anomalies, and in percentage, how much of an increase in SIP traffic with errors is legal before the system tracks SIP traffic anomalies.
Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
Rate Limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
SIP Method Attack Detection The dropdown lists commonly known SIP method types that you want the system to detect in packets. From the dropdown, select a method type and click Add. Then, specify threshold, rate increase, and rate limit for the particular method type.

Configuring network security settings

In this tab, configure the conditions under which the system determines that your server is under a network DoS attack.
Property Description
Protocol Errors Attack Detection When enabled, specifies the conditions under which the system determines that your server is under a network DoS attack.
Attack Type The dropdown lists commonly known attack types. From the dropdown, select network DoS attack types. Then, you can determine thresholds, rate increases, and rate limits for each of the following attack types:
  • Threshold. Specifies the number of packets per second, averaged over the previous minute, that must be exceeded in order to indicate to the system that there is an attack. The default setting is 1000 packets per second.
  • Rate Increase. Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
  • Rate Limit. Specifies the absolute limit of such packets allowed per second.

Removing DoS profiles

  1. Hover over the DoS profile that you want to remove, click the gear icon, and select Properties to expand the panel.
  2. Click Remove.
  3. In the confirmation dialog box, click Delete.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)