Attackers can target the BIG-IP
system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS
attack routes. These DoS attack prevention methods are available when the BIG-IP
Advanced Firewall Manager is licensed and
DoS and DDoS attacks
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
attempt to render a machine or network resource unavailable to users. DoS attacks involve the
efforts of one or more sources to disrupt the services of one or more hosts connected to the
- With Advanced Firewall Manager, you can configure the system to
automatically track traffic and CPU usage patterns over time, and adapt automatically to
possible DoS attacks across a range of DoS vectors. You can initiate DoS detection and mitigation for the
BIG-IP system, and in profiles that are associated with specific protected objects
(also called virtual servers).
- Automatic threshold configuration is available for a range of
packet types and traffic patterns. Use automatic thresholds to adapt responses to DoS attack
vectors based on the traffic history on the system.
- You can also manually configure thresholds, by specifying absolute packet-per-second limits for attack detection
(reporting and logging), percentage increase thresholds for detection, and absolute rate limits
on a wide variety of packets that attackers can leverage as attack vectors.
- You can enable Bad Actor detection on a per-vector basis to
identify IP addresses that engage in attacks where one IP address is targeting many
destinations; the system can automatically blacklist Bad Actor IP addresses with specific
thresholds and time limits. In addition, you can use Attacked Destination Detection to
determine IP addresses that are being attacked from many sources (many to one attacks). The
attacked destination addresses are added to a list and mitigation is applied only to the attacked
DNS and SIP flood (or DoS) attacks
- Denial-of-service (DoS) or flood attacks attempt to overwhelm a system
by sending thousands of requests that are either malformed or simply attempt to overwhelm a
system using a particular DNS query type or protocol extension, or a particular SIP request
DoS Sweep and Flood attacks
- A sweep attack is a network scanning technique that sweeps your network
by sending packets from a single host to multiple destination. The packet responses are then used to determine responsive hosts. A flood attack involves sending large amounts of traffic from one or more hosts to a single destination, preventing legitimate access to the resource. Sweep and
flood attack prevention allows you to configure system thresholds for packets that conform to
typical sweep or flood attack patterns.
Malformed DNS packets
- Malformed DNS packets can be used to consume processing power on the
BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed
DNS packets, and allows you to configure how you track such attacks.
Malformed SIP packets
- Malformed SIP request packets can be used to consume processing power on
the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops
malformed SIP packets, and allows you to configure how you track such attacks.
- Attackers can send DNS requests using unusual DNS query types or
OpCodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to
deny specific DNS OpCodes. When you configure the system to deny such protocol exploits, the
system tracks these events as attacks.