Manual Chapter : Preventing DDoS Flood and Sweep Attacks

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 12.1.0
Manual Chapter

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack originates.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large number of UDP packets, requiring the system to verify applications and send responses.

The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

Sweep and flood is the first prevention that is limited to the affected hosts. For example, the Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits just the traffic to the targeted host. Collateral damage is much lower by mitigating these vectors. You can set the limits lower than would be reasonable for the indiscriminate vectors.

Task list

Protecting against single-endpoint flood and sweep attacks

You can protect against DDoS single-endpoint attacks to protect a specific server from flood and sweep attacks.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Specify the Auto Threshold Sensitivity.
    A lower number means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage.
  4. Expand the Single-Endpoint category, and click Single Endpoint Flood.
    The settings appear on the right.
  5. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold.
  6. From the Rate/Leak Limit list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use Infinite to set no value for the threshold.
  7. In the Packet Types area, move the packet types you want to detect into the Selected list.
  8. On the left, under the Single-Endpoint category, click Single Endpoint Sweep.
    The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
  9. In the Per Source IP Rate Limit (PPS) field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  10. To automatically blacklist bad actor IP addresses, select Blacklist Attacking Address.
    Note: Automatic IP address blacklisting is enabled only when Bad Actor Detection is enabled.
  11. Select the Blacklist Category to which blacklist entries generated by Bad Actor Detection are added.
  12. Specify the Detection Time, in seconds, after which an IP address is blacklisted.
    When a Bad Actor IP address exceeds the Per Source IP Detection PPS setting for the Detection Time period, that IP address is added to the blacklist.
  13. To change the duration for which the address is blacklisted, specify the duration in seconds in the Duration field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  14. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisements.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher for the Advertisement Next-Hop in the Global Settings.
  15. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold.
  16. Click the Update button.
    The flood and sweep attack configurations are updated.
Now you have configured the system to provide protection against DoS flood and sweep attacks on a single server, and to allow such attacks to be identified in system logs and reports.

Protecting objects system-wide from flood attacks

You can use DDoS Hybrid Defender™ to protect all objects system-wide from flood attacks.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. In the Device Protection area, click Device Configuration.
    The DoS Device Configuration screen opens.
  3. Specify the Auto Threshold Sensitivity.
    A lower number means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage.
  4. Expand the Flood category, and review the settings for the different types of floods.
  5. Click the type of flood for which you want to change the settings.
    The settings appear on the right.
  6. Adjust the settings as needed.
    Tip: In the settings that allow it, click Auto-Threshold Configuration to have the system determine the thresholds based on traffic.
  7. Click the Update button.
    The flood attack configuration is updated.
Now you have configured the system to provide protection against DDoS flood attacks, to allow such attacks to be identified in system logs and reports, and to automatically add such attackers to a blacklist of your choice.