You can configure DNS attack settings in a protection profile that already exists, or
create a new one.
The BIG-IP system handles DNS attacks that use
malformed packets, protocol errors, and malicious attack vectors. Protocol error attack
detection settings detect malformed and malicious packets, or packets that are employed
to flood the system with several different types of responses, by detecting packets per
second and detecting percentage increase in packets over time. You can configure
settings to identify and rate limit possible DNS attacks with a protection profile.
On the Main tab, click
The Protection Profiles list
The New Protection Profile
In the Name field, type the name for
For Threshold Sensitivity, select Low, Medium, or High.
Low means the automatic
threshold calculations are less sensitive to changes in traffic and CPU usage. A
lower setting causes the system to adjust the thresholds more slowly over time,
but will also trigger fewer false positives. If traffic rates are consistent
over time, set this to Medium or High because even a small variation in generally consistent
traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false
If you have created a whitelist on the system,
from the Default
Whitelist list, select the list.
You can also click Manage Address Lists to jump to the
Address Lists screen where you can create or edit address lists.
To configure DNS security settings, for
Families, select DNS.
Dynamic signature enforcement creates signatures
that define attacks based on changing traffic patterns over time. To enable
dynamic signatures for DNS traffic, point to DNS, then select the Edit
icon (pencil) that appears on the right side.
The DNS Properties pane opens
on the right.
In the Properties pane, for Dynamic Signature
Enforcement, from the list, select Enabled.
Note: At first, you may want to select
Learn Only to
track dynamic signatures, without enforcing any thresholds or limits. Once
you see that the system is accurately detecting attacks, then select
From the Mitigation Sensitivity list,
select the sensitivity level for dropping packets.
- Select None to generate and log
dynamic signatures, without dropping packets.
- To drop packets, set the mitigation level
from Low to
setting of Low is
least aggressive, but will also trigger fewer false positives. A setting of
High is most
aggressive, and the system may drop more false positive packets.
At the bottom of the screen, click DNS.
The screen displays the DNS attack
To configure enforcement and settings for a DNS
vector, in the Vector Name column, click the name.
The vector properties pane
opens on the right.
In the Properties pane, from the State list, choose the
appropriate enforcement option.
- Select Mitigate to enforce the
configured DoS vector by examining packets, logging the results of the
vector, learning patterns, alerting to trouble, and mitigating the attack
(watch, learn, alert, and mitigate).
- Select Detect Only to configure
the vector, log the results of the vector without applying rate limits or
other actions, and alerting to trouble (watch, learn, and alert).
- Select Learn Only to configure
the vector, log the results of the vector, without applying rate limits or
other actions (watch and learn).
- Select Disabled to disable
logging and enforcement of the DoS vector (no stat collection, no
For Threshold Mode, select whether to have the system
determine thresholds for the vector (Fully Automatic),
have partially automatic settings (Manual Detection / Auto
Mitigation), or, you can control the settings (Fully
The settings differ depending on the option you select. Here, we describe the
settings for automatic threshold configuration. If you want to set thresholds
manually, select one of the manual options and refer to online Help for details
on the settings.
To allow the DoS vector thresholds to be
automatically adjusted, for Threshold Mode, select Fully Automatic (available
only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
Note: Automatic thresholding is not available for every DoS
vector. In particular, for error packets that are broken by their nature,
such as those listed under Bad Headers, you must configure them manually.
In the Attack Floor EPS
field, type the number of events per second of the vector type to allow
at a minimum, before automatically calculated thresholds are
Because automatic thresholds take
time to be reliably established, this setting defines the minimum
packets allowed before automatic thresholds are calculated.
In the Attack Ceiling EPS
field, specify the absolute maximum allowable for packets of this type
before automatically calculated thresholds are determined.
Because automatic thresholds take
time to be reliably established, this setting rate limits packets to the
events per second setting, when specified. To set no hard limit, set
this to Infinite.
Unless set to
infinite, if the maximum number of packets exceeds the ceiling value,
the system considers it to be an attack.
To detect IP address sources from which possible
attacks originate, enable Bad
Note: Bad Actor Detection is not available for every
To automatically blacklist bad actor IP addresses,
select Add Source Address to
Important: For this to work, you need to assign an IP
Intelligence policy to the appropriate context (device, virtual server, or
route domain). For the device, assign a global policy: . For the virtual server or route domain, assign the IP
Intelligence policy on the Security tab.
From the Category Name list, select
the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
In the Sustained Attack Detection
Time field, specify the duration in seconds after which the
attacking endpoint is blacklisted. By default, the configuration adds an IP
address to the blacklist after one minute (60 seconds).
In the Category Duration Time field,
specify the length of time in seconds that the address will remain on the
blacklist. The default is 14400 seconds (4 hours).
To allow IP source blacklist entries to be
advertised to edge routers so they will null route their traffic, select
Note: To advertise to edge routers, you must configure a
Blacklist Publisher and Publisher Profile at .
You have now configured a DoS protection profile to provide custom responses to
malicious DNS protocol attacks, to allow such attacks to be identified in system logs
and reports, and to allow rate limiting and other actions when such attacks are
detected. DNS queries on particular record types you have configured in the DNS Query
Attack Detection area are detected as attacks at your specified thresholds and rate
increases, and rate limited as specified.
Associate a DNS profile with a protected object to
enable the protected object to handle DNS traffic. Associate the DoS protection profile
with a protected object to apply the settings in the profile to traffic on that