Manual Chapter : Protecting Against DDoS Attacks

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 12.1.0
Manual Chapter

Overview: Protecting against DDoS attacks

You can easily set up DDoS Hybrid Defender™ to protect your networks and applications from DoS attacks. Once it is all set up, you can monitor the system to see whether there have been any attacks, and whether they are being handled properly.

Note: You configure DDoS Hybrid Defender by using the settings in DoS Protection > Quick Configuration > . F5 does not recommend making changes outside of the DDoS Hybrid Defender application.

Task Summary

Protecting the network from DDoS attacks

DDoS Hybrid Defender™ detects and handles DDoS attacks using preconfigured responses. Here you can adjust the Device Configuration settings that apply to the DDoS Hybrid Defender device as a whole so that it protects the network.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Configure the Auto Threshold Sensitivity (1-100, default is 50).
    A lower number means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage, and the system adjusts the thresholds more slowly over time.
  4. Optionally, set up a whitelist of IP addresses that should be allowed to bypass DDoS checks. See Bypassing DDoS checks for details.
  5. If you are using Silverline DDoS Protection Services, select the Silverline check box.

    The system reports DDoS attacks to F5 Silverline. For severe attacks, you can work with the F5 Silverline Security Operations Center (SOC) to migrate traffic to the F5 Silverline Cloud Platform for mitigation.

  6. For DDoS settings, all the categories of protections are selected, and the associated vectors are preconfigured.
    Setting Protects against:
    Bad Headers DDoS attacks related to header fields.
    DNS DDoS attacks related to DNS queries.
    Flood DDoS flood attacks.
    Fragmentation Various types of ICMP and IP fragmentation errors.
    Single Endpoint Single endpoint flood and sweep DoS attacks.
    SIP SIP protocol DDoS vectors.
    Other Miscellaneous DDoS vectors.
  7. Click the + sign next to each category to display the attack vectors.
    A table opens listing the associated attack vectors, the properties, and the current device statistics, if available.
  8. Click the name of any vector to edit the settings as needed for your environment.
    Configure the settings at a level that reflects the device and network capacity.
    The configuration settings appear on the right side of the screen.
  9. Configure the DDoS vector for automatic threshold configuration or manual thresholds.
    • If the attack allows automatic threshold configuration, you can select Auto-Threshold Configuration for the system to set the thresholds. See Automatically setting system-wide DDoS thresholds for details.
    • To configure thresholds manually, click Manual Configuration. See Manually setting system-wide DDoS thresholds for details.
  10. Click the Update button.
    The device configuration is updated, and the DoS Device Configuration screen opens again.
Now you have configured the system to respond to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Refer to the sections on automatically and manually setting system-wide DDoS vector thresholds for more details about adjusting the DDoS Hybrid Defender device configuration.

Automatically setting system-wide DDoS vector thresholds

DDoS Hybrid Defender™ handles DDoS attacks with preconfigured responses, but you might need to adjust the values for your environment. For some DDoS attack vectors in the device configuration, you can have the system automatically set detection thresholds and internal rate or leak limits. Use this task to configure individual DoS vectors that include the Auto-Configuration setting.
Note: Not all settings apply to all DoS vectors. For example, some vectors do not use Auto-Thresholds.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Click the + sign next to a category to display the attack vectors for any of the enabled DDoS settings.
    A table opens listing the associated attack vectors, the properties, and the current device statistics, if available.
  4. Click the name of any vector to edit the settings.
    The configuration settings appear on the right side of the screen.
  5. For vectors that are volumetric in nature, select Auto-Threshold Configuration (available for DNS, Flood, SIP, and some Fragmentation and other vectors).
    Note: This setting is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
  6. In the Attack Floor PPS field, specify the minimum number of packets per second of the vector type for the calculated detection threshold.

    Because automatic thresholds take time to be reliably established, this setting defines the minimum number of packets allowed until automatic thresholds are calculated and reported.

    Below the attack floor value, attacks are not reported.
  7. In the Attack Ceiling PPS field, specify the maximum number of packets per second that are allowed for the vector for the calculated detection threshold.
    To set no hard limit, set this to Infinite.
    Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  8. Click the Update button.
    The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  9. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to automatically determine DoS attack thresholds based on the characteristics of the traffic. The thresholds assigned are usually between the attack floor and attack ceiling values.

Manually setting system-wide DDoS vector thresholds

You manually configure thresholds for a DDoS vector when you want to configure specific settings, or when the vector does not allow for automatic threshold configuration.
Note: Not all settings apply to all DoS vectors. For example, some vectors allow Leak Limits instead of Rate Limits, and some vectors cannot be automatically blacklisted.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Click the + sign next to a category to display the attack vectors for any of the enabled DDoS settings.
    A table opens listing the associated attack vectors, the properties, and the current device statistics, if available.
  4. Click the name of any vector to edit the settings.
    The configuration settings appear on the right side of the screen.
  5. In the configuration settings, select Manual Configuration.
  6. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold.
  7. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold.
  8. For Rate/Leak Limit, set the value for the leak limit or the rate limit as follows:
    • For Bad Headers, this value sets the leak limit. This is the maximum amount of traffic with bad header vectors that is allowed to pass through the system making the issue visible.

      On platforms with hardware support for DoS protection, Bad Header packets are dropped in hardware (this provides better performance but limits visibility). The leak limit permits the specified packet rate to leak through to Hybrid DDoS Defender, which provides better visibility through statistics and reporting.

    • For most of the other vectors, this value is the rate limit. It is the maximum number of packets that are allowed to go through the system. Excess packets are dropped.
  9. To log traffic that the system identifies as a DoS attack according to the automatic thresholds, click Log Auto Threshold Events.
    Note: This setting allows you to see the results of auto thresholds on the selected DoS vector without actually affecting traffic. The system displays the current computed thresholds for automatic thresholds for this vector. Automatic thresholds are computed and enforced only when you select Auto-Threshold Configuration for a vector.
  10. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
  11. In the Per Source IP Detection (PPS) field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the Per Source IP Rate Limit (PPS) field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select Blacklist Attacking Address.
    Note: Automatic IP address blacklisting is enabled only when Bad Actor Detection is enabled.
  14. Select the Blacklist Category to which blacklist entries generated by Bad Actor Detection are added.
  15. Specify the Detection Time, in seconds, after which an IP address is blacklisted.
    When a Bad Actor IP address exceeds the Per Source IP Detection PPS setting for the Detection Time period, that IP address is added to the blacklist.
  16. To change the duration for which the address is blacklisted, specify the duration in seconds in the Duration field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisements.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher for the Advertisement Next-Hop in the Global Settings.
  18. Click Update.
    The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  19. Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DDoS attacks, and to allow such attacks to be identified in system logs and reports, rate-limited, and blacklisted when specified.

Bypassing DDoS checks

You can specify IP addresses on a whitelist that the system does not check for DDoS attacks. Addresses on the whitelist are trusted IP addresses that are never blocked.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Click Create New.
  4. In the Name field, type a name for the whitelist entry.
  5. In the Source area, specify the IP address and VLAN combination that serves as the source of traffic that the system recognizes as acceptable to pass the DoS checks.
    The VLANs you can select from are specified on the Network Configuration screen. Use Any to specify any address or VLAN.
    Note: Be careful not to allow all traffic.
  6. In the Destination area, specify the IP address and port combination that serves as the intended destination for traffic that the system recognizes as acceptable to pass DoS checks.
    You can also use Any to specify any address or port.
  7. From the Protocol list, select the protocol for the whitelist entry.
    The options are Any, TCP, UDP, ICMP, or IGMP.
  8. Click Done Editing to add the whitelist entry to the configuration.
    You can add up to eight IP addresses to the DoS whitelist.
Traffic from the trusted IP addresses is allowed to pass through DDoS Hybrid Defender, and does not undergo DoS checks.

Protecting network devices from DDoS attacks

With DDoS Hybrid Defender™, you can protect different types of network devices such as application servers, network hosts, DNS servers, routers, and so on against DDoS attacks. These network devices are called protected objects.

You need to create protected objects that represent the different types of device, and set up the DoS protections that are applicable to that device.

  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Protected Objects area, click Create.
    The Create Protected Object screen opens.
  3. In the Name field, type a name for the protected object.
  4. In the IP Address field, type the IP address or network from which the protected object accepts traffic.
    Specify the IP address in CIDR format: address/prefix, where the prefix length is in bits: for example, for IPv4: 10.0.0.1/32 or 10.0.0.0/24, and for IPv6: ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64.
  5. In the Port field, type the service port used by the protected object.
  6. From the Protocol list, select the network protocol that the protected object uses. Options are: TCP, UDP, or All Protocols.
  7. From the VLAN list, select the name of the virtual network available to this protected object. Options are: Any, and a list of VLANs that are defined on the system. The default is Any, meaning any VLAN.
    Tip: You can create VLANs by clicking Network Configuration.
  8. If the protected object manages SSL traffic (required for HTTPS), select the SSL check box, and configure these settings:
    1. From the SSL Certificate list, select the SLL certificate and key for the server-side certificate that is presented to the client on the client-side flow.
      Note: You need to have imported both an SSL certificate (signed by a certificate authority) and key onto the system in System > File Management > SSL Certificate List .
    2. If you want to encrypt SSL traffic heading to the server, select the Encrypt Connection to Server check box.
  9. From the Deployment Model list, select whether the traffic is Symmetric (connections from both sides) or Asymmetric (inbound connections only).
    Tip: Some attacks (such as HTTP, HTTPS, SIP, or Syn Flood) may not be detected if you use Asymmetric.
  10. For the Action, select what you want to happen in case of a DDoS attack:
    • To have the system detect, log, and mitigate DDoS attacks, select Log And Mitigate. The mitigating action rate-limits the attack. You can also select to detect bad actors, blacklist the bad actors, and advertise the bad actors.
    • To have the system detect and log attacks only, select Log Only. To ensure that no mitigation takes place, you must set the rate-limit thresholds for all enabled vectors to Infinite.
    • To disable system-level device protection and take no action, select None.
    The selected action occurs when a DoS vector exceeds the detection (log) or rate-limit (mitigate) threshold.
  11. If you are using Silverline DDoS Protection Services, select the Silverline check box.

    The system reports DDoS attacks to F5 Silverline. For severe attacks, you can work with the F5 Silverline Security Operations Center (SOC) to migrate traffic to the F5 Silverline Cloud Platform for mitigation.

  12. For Whitelisted IP Addresses, one at a time, type trusted IP addresses or subnets that do not need to be examined for DoS attacks, and click Add.
  13. If you want to detect attacks by considering server health using stress-based detection by measuring server latency, select the Server Health check box.
    You can clear this check box if you are using HTTP or HTTPS L7 DoS detection. It must be set if you are using Behavioral DoS detection.
    When the box is cleared, DDoS detection uses TPS to measure transaction rates with absolute thresholds. Behavioral DoS mitigation is disabled.
  14. For DDoS settings, select the categories of protections to enforce at the device level.
    Note: Some of the settings are mutually exclusive (SIP, DNS, HTTP, and HTTPS), and cause others to be unavailable. For example, if you are protecting an HTTP application server, you could select IPv4 or IPv6, TCP, HTTP, and optionally, Sweep.
    Setting When to Use
    IPv4

    The protected object uses 32-bit IP addressing, any protocol, any deployment model.

    IPv6

    The protected object uses 64-bit IP addressing, any protocol, any deployment model.

    TCP The protected object uses TCP protocol. The protocol of the protected object must be set to TCP or All Protocols, any deployment model is allowed (SYN cookies disabled for Asymmetric).
    UDP The protected object uses UDP protocol. The protocol of the protected object must be set to UDP or All Protocols, any deployment model is allowed.
    Sweep To protect against single-endpoint flood and sweep DDoS attacks.
    DNS The protected object is one or more DNS servers. The port of the protected object must be set to one DNS port number, the protocol must be set to UDP or TCP, deployment model must be Symmetric.
    SIP The protected object is one or more SIP servers. The port of the protected object must be set to one SIP port number, the protocol must be set to UDP or TCP, deployment model must be Symmetric.
    HTTP The protected object is one or more HTTP application servers. The port of the protected object must be set to one port number, the protocol must be set to TCP, deployment model must be Symmetric.
    HTTPS The protected object is one or more HTTPS application servers. The port of the protected object must be set to one port number, the protocol must be set to TCP, deployment model must be Symmetric, and an SSL Certificate must be specified.
    The system pre-configures all of the vectors in each of the categories, but you might need to adjust the values to suit your environment.
  15. Click the + sign next to the category to display the attack vectors.
    A table opens listing the associated attack vectors, the properties, and the current device statistics, if available.
  16. Click the name of any vector to edit the settings.
    The configuration settings appear on the right side of the screen.
  17. Configure the DDoS vector for automatic threshold configuration or manual thresholds.
    • If the attack allows automatic threshold configuration, you can select Auto-Threshold Configuration to configure automatic thresholds. See Automatically setting system-wide DDoS thresholds for details.
    • To configure thresholds manually, click Manual Configuration. See Manually setting system-wide DDoS thresholds for details.
  18. Click the Update button.
    The system creates the protected object.
Now you have configured the system to protect against DDoS attacks, and to allow such attacks to be identified in system logs and reports.

How to protect different network objects from DDoS attacks

Administrators often want to protect against a specific type of DDoS attack or to protect a particular type of protected object from attacks. This table gives you an idea of the types of protections you can set up.

To protect this: Set this in the protected object:
DNS Servers
  • Set Port to the DNS port.
  • Set Protocol to All Protocols.
  • Set Deployment Model to Symmetric.
  • In DDoS Settings, click DNS.
  • Expand DNS, check threshold settings.
SIP Servers
  • Set Port to the SIP port.
  • Set Protocol to TCP.
  • Set Deployment Model to Symmetric.
  • In DDoS Settings, click SIP.
  • Expand SIP, check threshold settings.
Web applications
  • Set Port to the 80 for HTTP or 443 for HTTPS.
  • Set Protocol to TCP.
  • Set Deployment Model to Symmetric.
  • In DDoS Settings, click HTTP or HTTPS.
  • Expand HTTP or HTTPS, check threshold settings.
Backend servers from Syn Floods
  • Set IP Address to * for all addresses.
  • Set Port to * for all ports.
  • Set VLAN to defaultVLAN .
  • Set Protocol to TCP.
  • Set Deployment Model to Symmetric.
  • In DDoS Settings, click TCP.
  • Expand TCP , check the settings for TCP SYN Flood.
Backend servers from Sweep Attacks
  • Set IP Address to * for all addresses.
  • Set Port to * for all ports.
  • Set VLAN to defaultVLAN .
  • Set Protocol to TCP.
  • Set Deployment Model to Symmetric.
  • In DDoS Settings, click Sweep.
  • Expand Sweep, for Sweep set the packet types to check for sweep attacks.

DDoS protected object attack types

For each protected object, you can specify specific threshold, rate increase, rate limit, and other parameters for supported DoS attack types, to more accurately detect, track, and rate limit attacks.

IPv4 Attack Vectors

Vector Information
Host Unreachable The host cannot be reached.
ICMP Fragment ICMP fragment flood.
ICMPv4 Flood Flood with ICMPv4 packets.
IP Fragment Flood Fragmented packet flood with IPv4.
IP Option Frames IPv4 address packets that are part of an IP option frame flood. On the command line option.db variable tm.acceptipsourceroute must be enabled to receive IP options.
Option Present With Illegal Length Packets contain an option with an illegal length.

IPv6 Attack Vectors

Vector Information
ICMPv6 Flood Flood with ICMPv6 packets.
IPV6 Extended Header Frames IPv6 address contains extended header frames.
IPv6 extension header too large An IPv6 extension header exceeds the limit in bytes set at DoS Protection > Quick Configuration > Global Settings , in the Too Large IPv6 Extension Header field .
IPV6 Fragment Flood The IPv6 extended header hop count is less than or equal to the hop count limit set at DoS Protection Quick Configuration Global Settings, in the IPv6 Low Hop Count field.
IPv6 hop count <= <tunable> The IPv6 extended header hop count is less than or equal to the hop count limit set at DoS Protection Quick Configuration Global Settings, in the IPv6 Low Hop Count field.
Too Many Extended Headers For an IPv6 address, the extension headers exceed the limit set at DoS Protection > Quick Configuration > Global Settings , in the Too Many IPv6 Extension Header field.

TCP Attack Vectors

Vector Information
TCP Bad URG TCP header has a bad URG flag, this is likely malicious (flag is set and urgent pointer is 0).
TCP Option Overruns TCP Header The TCP option bits overrun the TCP header.
TCP PSH Flood Attackers send spoofed PUSH packets at very high rates; packets do not belong to any current session.
TCP RST Flood

TCP reset attack, also known as "forged TCP resets", "spoofed TCP reset packets" or "TCP reset attacks" is a method of tampering with Internet communications.

TCP SYN ACK Flood An attack method that involves sending a target server spoofed SYN-ACK packets at a high rate.
TCP SYN Flood

Attackers send a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

TCP SYN Oversize Detects TCP data SYN packets larger than the maximum specified in the limit set at DoS Protection > Quick Configuration > Global Settings , in the Too Large TCP SYN Packet field. The default size in bytes is 64 and the maximum allowable value is 9216.
TCP Window Size The TCP window size in packets is above the maximum size. To tune this setting, change the setting at Dos Protection > Quick Configuration > Global Settings , in the Too Low TCP Window Size field.
Unknown TCP Option Type TCP option type is not standard.

UDP Attack Vector

Vector Information
UDP Flood The attacker sends UDP packets, typically large ones, to single destination or to random ports.

Sweep Attack Vector

Vector Information
Sweep The attacker uses a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts.

DNS Attack Vectors

Vector How to identify it
a UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
aaaa UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
any UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
axfr UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
cname UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
ixfr UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
mx UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
ns UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
other UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
ptr UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
qdcount DNS QDCount limit. UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
soa UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
srv UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).
txt UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094).

SIP Attack Vectors

Vector Information
ack SIP ACK packets. Used with invite request when establishing a call.
bye SIP BYE packets. The attacker tries to terminate a communication session prematurely.
cancel SIP CANCEL packets. Attackers prevent callers from establishing a session.
invite SIP INVITE packets. Attackers send multiple invite packets to initiate call sessions.
message SIP MESSAGE packets. Attackers send instant messages.
notify SIP NOTIFY packets. Attackers send notifications, such as of voicemails.
options SIP OPTIONS packets. Attackers send probes to determine capabilities of servers.
other Other SIP method packets
prack SIP PRACK packets. Attackers send prack packets for provisional acknowledgements.
publish SIP PUBLISH packets. Attackers publish messages to the server.
register SIP REGISTER packets. Attackers register or unregister a phone address listed in the To header field with a SIP server.
subscribe SIP SUBSCRIBE packets. Attackers send subscriber notification messages.
URI Limit The SIP URI exceeds the limit set at Dos Protection > Quick Configuration > Global Settings , in the Too Long SIP URI field. This setting should be less than 1024, the maximum length for a SIP URI in bytes.

Layer 7 HTTP and HTTPS Attack Vectors

Protection Description
Behavioral Attack indicates bad actors by their anomalous behavior based on deviation from baseline behavior.
Detection by Device Attack indicates suspicious client devices tracked by fingerprinting and a high number of transactions per second.
Detection by Geolocation Attack indicates suspicious geographical locations identified by their IP range and an unusual traffic share.
Detection by Site Attack indicates that the global traffic on the site (whole application) signifies an attack based on a high number of transactions per second.
Detection by Source-IP Attack indicates suspicious clients identified by their IP address and a high number of transactions per second.
Detection by URL Attack targets specific URLs in the web application by sending a high number of transactions per second to them.
Heavy URL Attack focuses on URLs that consume considerable server resources thus can become tipping points in DoS attacks. The system automatically detects heavy URLs.
Proactive Bot Defense Attacks caused by web robots. The system uses JavaScript evaluations and bot signatures to ensure that browsers are legitimate not automated.

HTTP and HTTPS Proactive Bot Defense Categories

Category Description
Crawler Benign
HTTP Library Benign
Search Bot Benign
Search Engine Benign
Service Agent Benign
Site Monitor Benign
Social Media Agent Benign
Web Downloader Benign
DoS Tool Malicious
E-Mail Collector Malicious
Exploit Tool Malicious
Network Scanner Malicious
Spam Bot Malicious
Vulnerability Scanner Malicious
Web Spider Malicious

DDoS device attack types

You can specify specific threshold, rate increase, rate limit, and other parameters for supported device-level DDoS attack types, to more accurately detect, track, and rate limit attacks. Broken packets, such as those with bad headers, should be severely rate limited

Bad Header attack types

Vector Information Hardware accelerated
Bad ICMP Checksum An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet. Yes
Bad ICMP Frame The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types. Valid IPv4 types:
  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded
  • 12 Parameter Problem
  • 13 Timestamp
  • 14 Timestamp Reply
  • 15 Information Request
  • 16 Information Reply
  • 17 Address Mask Request
  • 18 Address Mask Reply
Valid IPv6 types:
  • 1 Destination Unreachable
  • 2 Packet Too Big
  • 3 Time Exceeded
  • 4 Parameter Problem
  • 128 Echo Request
  • 129 Echo Reply
  • 130 Membership Query
  • 131 Membership Report
  • 132 Membership Reduction
Yes
Bad IGMP Frame IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. Yes
Bad IP TTL Value Time-to-live equals zero for an IPv4 address. Yes
Bad IP Version The IPv4 address version in the IP header is not 4. Yes
Bad IPv6 Addr IPv6 source IP = 0xff00:: Yes
Bad IPV6 Hop Count Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad. Yes
Bad IPV6 Version The IPv6 address version in the IP header is not 6. Yes
Bad SCTP Checksum Bad SCTP packet checksum. No
Bad Source The IPv4 source IP = 255.255.255.255 or 0xe0000000U. Yes
Bad TCP Checksum The TCP checksum does not match. Yes
Bad TCP Flags (All Cleared) Bad TCP flags (all cleared and SEQ#=0). Yes
Bad TCP Flags (All Flags Set) Bad TCP flags (all flags set). Yes
Bad UDP Checksum The UDP checksum is not correct. Yes
Bad UDP Header (UDP Length > IP Length or L2 Length) UDP length is greater than IP length or Layer 2 length. Yes
DNS Malformed Malformed DNS packet Yes
DNS Oversize Detects oversized DNS headers. To tune this value, set the Too Large DNS Packet setting at DoS Protection > Quick Configuration > Global Settings to the maximum value for a DNS header, from 256-8192 bytes. Yes
DNS QDCount Limit UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
Ethernet MAC Source Address == Destination Address Ethernet MAC source address equals the destination address. Yes
FIN Only Set Bad TCP flags (only FIN is set). Yes
Header Length > L2 Length No room in Layer 2 packet for IP header (including options) for IPv4 address Yes
Header Length Too Short IPv4 header length is less than 20 bytes. Yes
ICMP Frame Too Large The ICMP frame exceeds the declared IP data length or the maximum datagram length set at DoS Protection > Quick Configuration > Global Settings , in the Too Large IPv6 Extension Header field. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. Yes
IP Error Checksum The header checksum is not correct. Yes
IP Length > L2 Length The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet. Yes
IP Option Frames IPv4 address packets that are part of an IP option frame flood. On the command line option.db variable tm.acceptipsourceroute must be enabled to receive IP options. Yes
IP Option Illegal Length Option present with illegal length. No
IPv4 mapped *IPv6* The IPv6 stack is receiving IPv4 address packets. Yes
IPv6 duplicate extension headers An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. Yes
IPv6 Extended Header Frames IPv6 address contains extended header frames. Yes
IPv6 extended headers wrong order Extension headers in the IPv6 header are in the wrong order. Yes
IPv6 extension header too large An IPv6 extension header exceeds the limit in bytes set at DoS Protection > Quick Configuration > Global Settings , in the Too Large IPv6 Extension Header field. Yes
IPv6 hop count <= <tunable> The IPv6 extended header hop count is less than or equal to the hop count limit set at DoS Protection > Quick Configuration > Global Settings , in the IPv6 Low Hop Count field. Yes
IPV6 Length > L2 Length IPv6 address length is greater than the Layer 2 length. Yes
L2 Length >> IP Length Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size. Yes
No L4 No Layer 4 payload for IPv4 address. Yes
No L4 (Extended Headers Go To Or Past End of Frame) Extended headers go to the end or past the end of the L4 frame. Yes
Option Present With Illegal Length Packets contain an option with an illegal length. Yes
Payload Length < L2 Length Specified IPv6 payload length is less than the L2 packet length. Yes
SYN && FIN Set Bad TCP flags (SYN and FIN set). Yes
TCP Flags - Bad URG Packet contains a bad URG flag; this is likely malicious. Yes
TCP Header Length > L2 Length The TCP header length exceeds the Layer 2 length. Yes
TCP Header Length Too Short (Length < 5) The Data Offset value in the TCP header is less than five 32-bit words. Yes
TCP Option Overruns TCP Header The TCP option bits overrun the TCP header. Yes
Too Many Extended Headers For an IPv6 address, the extension headers exceed the limit set at DoS Protection > Quick Configuration > Global Settings , in the Too Many IPv6 Extension Header field. Yes
TTL <= <tunable> An IP packet with a destination that is not multicast has a TTL greater than 0 and less than the value set at DoS Protection > Quick Configuration > Global Settings , in the IPv4 Low TTL field. The range for this setting is 1-4. Yes
Unknown Option Type Unknown IP option type. No
Unknown TCP Option Type Unknown TCP option type. Yes

DNS attack vectors

Vector Information Hardware accelerated
DNS A Query UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS AAAA Query UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS Any Query UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS AXFR Query UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS CNAME Query UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS IXFR Query UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS MX Query UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS NS Query UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS OTHER Query UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS PTR Query UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS Response Flood UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS SOA Query UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS SRV Query UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes
DNS TXT Query UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, set the DNS VLAN setting at DoS Protection > Quick Configuration > Global Settings to the DNS VLAN (0-4094). Yes

Flood attack vectors

Vector Information Hardware accelerated
Flood ARP packet flood Yes
Ethernet Broadcast Packet Ethernet broadcast packet flood Yes
Ethernet Multicast Packet Ethernet destination is not broadcast, but is multicast. Yes
ICMPv4 Flood Flood with ICMPv4 packets Yes
ICMPv6 Flood Flood with ICMPv6 packets Yes
IGMP Flood Flood with IGMP packets (IPv4 packets with IP protocol number 2) Yes
IGMP Fragment Flood Fragmented packet flood with IGMP protocol Yes
IP Fragment Flood Fragmented packet flood with IPv4 Yes
IPv6 Fragment Flood Fragmented packet flood with IPv6 No
Routing Header Type 0 Routing header type zero is present in flood packets Yes
TCP BADACK Flood TCP ACK packet flood No
TCP PUSH Flood TCP PUSH flood Yes
TCP RST Flood TCP RST flood Yes
TCP SYN ACK Flood TCP SYN/ACK flood Yes
TCP SYN Flood TCP SYN flood Yes
TCP SYN Oversize Detects TCP data SYN packets larger than the maximum specified in the limit set at DoS Protection > Quick Configuration > Global Settings , in the Too Large TCP SYN Packet field. The default size in bytes is 64 and the maximum allowable value is 9216. Yes
TCP Window Size The TCP window size in packets is above the maximum size. To tune this setting, change the setting at Dos Protection > Quick Configuration > Global Settings , in the Too Low TCP Window Size field. Yes
UDP Flood UDP flood attack Yes

Fragmentation attack vectors

Vector Information Hardware accelerated
ICMP Fragment ICMP fragment flood Yes
IP Fragment Error Other IPv4 fragment error Yes
IP Fragment Overlap IPv4 overlapping fragment error No
IP Fragment Too Small IPv4 short fragment error Yes
IPV6 Atomic Fragment IPv6 Frag header present with M=0 and FragOffset =0 Yes
IPV6 Fragment Error Other IPv6 fragment error Yes
IPv6 Fragment Overlap IPv6 overlapping fragment error No
IPv6 Fragment Too Small IPv6 short fragment error Yes

Single Endpoint attack vectors

Vector Information Hardware accelerated
Single Endpoint Flood Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting. No
Single Endpoint Sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. No

SIP attack vectors

Vector Information Hardware accelerated
SIP ACK Method SIP ACK packets Yes
SIP BYE Method SIP BYE packets Yes
SIP CANCEL Method SIP CANCEL packets Yes
SIP INVITE Method SIP INVITE packets Yes
SIP Malformed Malformed SIP packets Yes
SIP MESSAGE Method SIP MESSAGE packets Yes
SIP NOTIFY Method SIP NOTIFY packets Yes
SIP OPTIONS Method SIP NOTIFY packets Yes
SIP OTHER Method Other SIP method packets Yes
SIP PRACK Method SIP PRACK packets Yes
SIP PUBLISH Method SIP PUBLISH packets Yes
SIP REGISTER Method SIP REGISTER packets Yes
SIP SUBSCRIBE Method SIP SUBSCRIBE packets Yes

Other attack vectors

Vector Information Hardware accelerated
Host Unreachable Host unreachable error Yes
IP Unknown protocol Unknown IP protocol No
LAND Attack Source IP equals destination IP address. Yes
SIP URI Limit The SIP URI exceeds the limit set at Dos Protection > Quick Configuration > Global Settings , in the Too Long SIP URI field. This setting should be less than 1024, the maximum length for a SIP URI in bytes. Yes
TIDCMP ICMP source quench attack Yes