Manual Chapter : Detecting and Preventing DNS DoS Attacks on a Protected Object

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

Detecting and Preventing DNS DoS Attacks on a Protected Object

Overview: Preventing DNS DoS attacks on a protected object

DNS DoS protection is a type of protocol security. DNS DoS attack detection and prevention serves several functions:

  • To detect and report on DNS packets based on behavior characteristics of the sender, or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit DNS packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can use the DNS DoS protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular DNS query type, or an increase in anomalous packets. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.

You can specify address lists as a whitelist, that the DoS checks allow. Whitelisted addresses are passed by the protection profile, without being subject to the checks in the protection profile.

Per-protected object DoS protection requires that your protected object includes a protection profile that includes DNS security.

Task list

Detecting and protecting against DNS DoS attacks with a protection profile

You can configure DNS attack settings in a protection profile that already exists, or create a new one.
The BIG-IP system handles DNS attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses, by detecting packets per second and detecting percentage increase in packets over time. You can configure settings to identify and rate limit possible DNS attacks with a protection profile.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click Create.
    The New Protection Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  5. If you have created a whitelist on the system, from the Default Whitelist list, select the list.
    You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.
  6. To configure DNS security settings, for Families, select DNS.
  7. Dynamic signature enforcement creates signatures that define attacks based on changing traffic patterns over time. To enable dynamic signatures for DNS traffic, point to DNS, then select the Edit icon (pencil) that appears on the right side.
    The DNS Properties pane opens on the right.
  8. In the Properties pane, for Dynamic Signature Enforcement, from the list, select Enabled.
    Note: At first, you may want to select Learn Only to track dynamic signatures, without enforcing any thresholds or limits. Once you see that the system is accurately detecting attacks, then select Enabled.
  9. From the Mitigation Sensitivity list, select the sensitivity level for dropping packets.
    • Select None to generate and log dynamic signatures, without dropping packets.
    • To drop packets, set the mitigation level from Low to High. A setting of Low is least aggressive, but will also trigger fewer false positives. A setting of High is most aggressive, and the system may drop more false positive packets.
  10. At the bottom of the screen, click DNS.
    The screen displays the DNS attack vectors.
  11. To configure enforcement and settings for a DNS vector, in the Vector Name column, click the name.
    The vector properties pane opens on the right.
  12. In the Properties pane, from the State list, choose the appropriate enforcement option.
    • Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  13. For Threshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection / Auto Mitigation), or, you can control the settings (Fully Manual).
    The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
  14. To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Note: Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  15. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  16. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  17. From the Category Name list, select the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
  18. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  19. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  20. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
You have now configured a DoS protection profile to provide custom responses to malicious DNS protocol attacks, to allow such attacks to be identified in system logs and reports, and to allow rate limiting and other actions when such attacks are detected. DNS queries on particular record types you have configured in the DNS Query Attack Detection area are detected as attacks at your specified thresholds and rate increases, and rate limited as specified.
Associate a DNS profile with a protected object to enable the protected object to handle DNS traffic. Associate the DoS protection profile with a protected object to apply the settings in the profile to traffic on that protected object.

Assigning a DNS profile to a protected object

You can optionally assign a DNS profile to the protected object. However, assigning port 53 to the protected object automatically identifies traffic as DNS.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object to which you want to assign a DNS profile.
    The Properties pane opens on the right.
  3. Make sure the Service Port is set to 53 and Protocol is set to UDP.
    You can also set the protocol to TCP but hardware acceleration is not supported for SIP in that case.
  4. From the Service Profile list, select dns.
    This assigns the default dns profile located in Local Traffic > Profiles > Services > DNS . There you can review, edit, or create new DNS profiles.
  5. Click Save.
The protected object now handles DNS traffic according to the DNS profile.

Associating a protection profile with a protected object

You must first create a DoS protection profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the protected object requires an HTTP profile (such as the default http).
You add denial-of-service protection to a protected object to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object to which you want to assign a protection profile.
    The Properties pane opens on the right.
  3. In the Protection Settings area, from the Protection Profile list, select the name of the protection profile to assign.
    This associates the protection profile with the protected object.
  4. Click Save.
DoS protection is now enabled, and the DoS protection profile is associated with the protected object.

Creating a logging profile to log DNS attacks

Create a custom logging profile to log DNS DoS events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Profile Name field, type a name for the logging profile.
  4. Select the Protocol Security check box.
  5. In the DNS Security area, from the Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
  6. Select the Log Dropped Requests check box, to enable the BIG-IP system to log dropped DNS requests.
  7. Select the Log Filtered Dropped Requests check box, to enable the BIG-IP system to log DNS requests dropped due to DNS query/header-opcode filtering.
    Note: The system does not log DNS requests that are dropped due to errors in the way the system processes DNS packets.
  8. Select the Log Malformed Requests check box to enable the BIG-IP system to log malformed DNS requests.
  9. Select the Log Rejected Requests check box to enable the BIG-IP system to log rejected DNS requests.
  10. Select the Log Malicious Requests check box to enable the BIG-IP system to log malicious DNS requests.
  11. From the Storage Format list, select how the BIG-IP system formats the log.
    Option Description
    None Specifies the default format type in which the BIG-IP system logs messages to a remote Syslog server, for example: "management_ip_address","bigip_hostname","context_type","context_name","src_ip","dest_ip","src_port","dest_port","vlan","protocol","route_domain","acl_rule_name","action","drop_reason
    Field-List Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Specify the order the fields display in the log.
    • Specify the delimiter that separates the content in the log. The default delimiter is the comma character.
    User-Defined Allows you to:
    • Select, from a list, the fields to be included in the log.
    • Cut and paste, in a string of text, the order the fields display in the log.
  12. In the Logging Profile Properties, select the DoS Protection check box.
    The DoS Protection tab opens.
  13. In the DNS DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log DNS DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for SIP or Application DoS Protection.
  14. Click Create.
Assign this custom DoS DNS logging profile to a protected object (such as a DNS server).

Logging DoS DNS events on a protected object

Ensure that the appropriate log publisher exists on the BIG-IP system.
Assign a custom logging profile to a protected object when you want the system to log DoS protection events for the traffic the protected object processes.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object for which you want to log DoS events.
    The Properties pane opens on the right.
  3. In the Network & General area, for Logging Profiles, move the logging profile to assign from the Available list into the Selected list.
    This assigns the logging profile to the protected object.
  4. Click Save.
The system logs DoS DNS events for the protected object.
You can review DoS DNS event logs at Security > Event Logs > DoS > DNS Protocol .