DNS DoS protection is a type of protocol security. DNS DoS attack detection and prevention
serves several functions:
- To detect and report on DNS packets based on
behavior characteristics of the sender, or characteristics of the packets, without enforcing any
- To detect, report on, and rate limit DNS
packets based on behavior characteristics that signify specific known attack vectors.
- To identify Bad Actor IP addresses from which
attacks appear to originate, by detecting packets per second from a source, and to apply rate
limits to such IP addresses.
- To blacklist Bad Actor IP addresses, with
configurable detection times, blacklist durations, and blacklist categories, and allow such IP
addresses to be advertised to edge routers to offload blacklisting.
You can use the DNS DoS protection profile to configure the percentage
increase over the system baseline, which indicates that a possible attack is in process on a
particular DNS query type, or an increase in anomalous packets. You can also rate limit packets
of known vectors. You can configure settings manually, and for many vectors you can allow AFM to
manage thresholds automatically.
You can specify address lists as a whitelist, that the DoS checks allow.
Whitelisted addresses are passed by the protection profile, without being subject to the checks
in the protection profile.
protecting against DNS DoS attacks with a protection profile
This task describes how to create a new DoS protection profile and configure
settings to identify and rate limit possible DNS DoS attacks.
On the Main tab, click
The Protection Profiles list
The New Protection Profile
In the Name field, type the name for
For Threshold Sensitivity, select Low, Medium, or High.
Low means the automatic
threshold calculations are less sensitive to changes in traffic and CPU usage. A
lower setting causes the system to adjust the thresholds more slowly over time,
but will also trigger fewer false positives. If traffic rates are consistent
over time, set this to Medium or High because even a small variation in generally consistent
traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false
If you have created a whitelist on the system,
from the Default
Whitelist list, select the list.
You can also click Manage Address Lists to jump to the
Address Lists screen where you can create or edit address lists.
To configure DNS security settings, for
Families, select DNS.
Dynamic signature enforcement creates signatures
that define attacks based on changing traffic patterns over time. To enable
dynamic signatures for DNS traffic, point to DNS, then select the Edit
icon (pencil) that appears on the right side.
The DNS Properties pane opens
on the right.
In the Properties pane, for Dynamic Signature
Enforcement, from the list, select Enabled.
Note: At first, you may want to select
Learn Only to
track dynamic signatures, without enforcing any thresholds or limits. Once
you see that the system is accurately detecting attacks, then select
From the Mitigation Sensitivity list,
select the sensitivity level for dropping packets.
- Select None to generate and log
dynamic signatures, without dropping packets.
- To drop packets, set the mitigation level
from Low to
setting of Low is
least aggressive, but will also trigger fewer false positives. A setting of
High is most
aggressive, and the system may drop more false positive packets.
At the bottom of the screen, click DNS.
The screen displays the DNS attack
To configure enforcement and settings for a DNS
vector, in the Vector Name column, click the name.
The vector properties pane
opens on the right.
In the Properties pane, from the State list, choose the
appropriate enforcement option.
- Select Mitigate to enforce the
configured DoS vector by examining packets, logging the results of the
vector, learning patterns, alerting to trouble, and mitigating the attack
(watch, learn, alert, and mitigate).
- Select Detect Only to configure
the vector, log the results of the vector without applying rate limits or
other actions, and alerting to trouble (watch, learn, and alert).
- Select Learn Only to configure
the vector, log the results of the vector, without applying rate limits or
other actions (watch and learn).
- Select Disabled to disable
logging and enforcement of the DoS vector (no stat collection, no
For Threshold Mode, select whether to have the system
determine thresholds for the vector (Fully Automatic),
have partially automatic settings (Manual Detection / Auto
Mitigation), or, you can control the settings (Fully
The settings differ depending on the option you select. Here, we describe the
settings for automatic threshold configuration. If you want to set thresholds
manually, select one of the manual options and refer to online Help for details
on the settings.
To allow the DoS vector thresholds to be
automatically adjusted, for Threshold Mode, select Fully Automatic (available
only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
Note: Automatic thresholding is not available for every DoS
vector. In particular, for error packets that are broken by their nature,
such as those listed under Bad Headers, you must configure them manually.
In the Attack Floor EPS
field, type the number of events per second of the vector type to allow
at a minimum, before automatically calculated thresholds are
Because automatic thresholds take
time to be reliably established, this setting defines the minimum
packets allowed before automatic thresholds are calculated.
In the Attack Ceiling EPS
field, specify the absolute maximum allowable for packets of this type
before automatically calculated thresholds are determined.
Because automatic thresholds take
time to be reliably established, this setting rate limits packets to the
events per second setting, when specified. To set no hard limit, set
this to Infinite.
Unless set to
infinite, if the maximum number of packets exceeds the ceiling value,
the system considers it to be an attack.
To detect IP address sources from which possible
attacks originate, enable Bad
Note: Bad Actor Detection is not available for every
To automatically blacklist bad actor IP addresses,
select Add Source Address to
Important: For this to work, you need to assign an IP
Intelligence policy to the appropriate context (device, virtual server, or
route domain). For the device, assign a global policy:
. For the virtual server or route domain, assign the IP
Intelligence policy on the Security tab.
From the Category Name list, select
the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
In the Sustained Attack Detection
Time field, specify the duration in seconds after which the
attacking endpoint is blacklisted. By default, the configuration adds an IP
address to the blacklist after one minute (60 seconds).
In the Category Duration Time field,
specify the length of time in seconds that the address will remain on the
blacklist. The default is 14400 seconds (4 hours).
To allow IP source blacklist entries to be
advertised to edge routers so they will null route their traffic, select
Note: To advertise to edge routers, you must configure a
Blacklist Publisher and Publisher Profile at
You have now configured a DoS protection profile to provide custom responses to
malicious DNS protocol attacks, to allow such attacks to be identified in system logs
and reports, and to allow rate limiting and other actions when such attacks are
detected. DNS queries on particular record types you have configured in the DNS Query
Attack Detection area are detected as attacks at your specified thresholds and rate
increases, and rate limited as specified.
Associate the DoS protection profile
with a protected object to apply the settings in the profile to traffic on that
Logging DoS DNS events on a protected object
Ensure that the appropriate log publisher
exists on the BIG-IP system.
Assign a custom logging profile to a
protected object when you want the system to log DoS protection events for the traffic
the protected object processes.
On the Main tab, click
Click the name of the protected object for which
you want to log DoS events.
The Properties pane opens on the right.
In the Network & General area, for
Logging Profiles, move the logging profile to assign
from the Available list into the Selected list.
This assigns the logging
profile to the protected object.
The system logs DoS DNS
events for the protected object.
You can review DoS
DNS event logs at