Detecting and Protecting Against DoS, DDoS, and Protocol Attacks

Attackers can target the BIG-IP system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS attack routes. These DoS attack prevention methods are available when the BIG-IP Advanced Firewall Manager is licensed and provisioned.

DoS and DDoS attacks

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a machine or network resource unavailable to users. DoS attacks involve the efforts of one or more sources to disrupt the services of one or more hosts connected to the Internet.

With Advanced Firewall Manager, you can configure the system to automatically track traffic and CPU usage patterns over time, and adapt automatically to possible DoS attacks across a range of DoS vectors. You can initiate DoS detection and mitigation for the BIG-IP system, and in profiles that are associated with specific protected objects (also called virtual servers).

Automatic threshold configuration is available for a range of packet types and traffic patterns. Use automatic thresholds to adapt responses to DoS attack vectors based on the traffic history on the system.

You can also manually configure thresholds, by specifying absolute packet-per-second limits for attack detection (reporting and logging), percentage increase thresholds for detection, and absolute rate limits on a wide variety of packets that attackers can leverage as attack vectors.

You can enable Bad Actor detection on a per-vector basis to identify IP addresses that engage in attacks where one IP address is targeting many destinations; the system can automatically blacklist Bad Actor IP addresses with specific thresholds and time limits. In addition, you can use Attacked Destination Detection to determine IP addresses that are being attacked from many sources (many to one attacks). The attacked destination addresses are added to a list and mitigation is applied only to the attacked destination addresses.

DNS and SIP flood (or DoS) attacks

Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension, or a particular SIP request type.

DoS Sweep and Flood attacks

A sweep attack is a network scanning technique that sweeps your network by sending packets from a single host to multiple destination. The packet responses are then used to determine responsive hosts. A flood attack involves sending large amounts of traffic from one or more hosts to a single destination, preventing legitimate access to the resource. Sweep and flood attack prevention allows you to configure system thresholds for packets that conform to typical sweep or flood attack patterns.

Malformed DNS packets

Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks.

Malformed SIP packets

Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to configure how you track such attacks.

Protocol exploits

Attackers can send DNS requests using unusual DNS query types or OpCodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS OpCodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks.