Manual Chapter : Detecting and Protecting Against DoS DDoS and Protocol Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Detecting and Protecting Against DoS, DDoS, and Protocol Attacks

About detecting and protecting against DoS, DDoS, and protocol attacks

Attackers can target the BIG-IP® system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS attack routes. These DoS attack prevention methods are available when the Advanced Firewall Manager™ is licensed and provisioned.

DoS and DDoS attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a machine or network resource unavailable to users. DoS attacks require the efforts of one or more people to disrupt the services of a host connected to the Internet.
With Advanced Firewall Manager, you can configure the system to automatically track traffic and CPU usage patterns over time, and adapt automatically to possible DoS attacks across a range of DoS vectors. You can configure DoS detection for the whole system, and on an individual, per-DoS-vector basis. Automatic threshold configuration is available for a range of non-error packet types on the AFM system.
With AFM, you can also configure manual responses to DoS vectors. For non-error packets, you can configure absolute packet-per-second limits for attack detection (reporting and logging), percentage increase thresholds for detection, and absolute rate limits on a wide variety of packets that attackers can leverage as attack vectors. In addition, you can configure Bad Actor detection, to identify IP addresses that engage in such attacks, on a per-vector basis, and you can automatically blacklist Bad Actor IP addresses, with specific thresholds and time limits. Configure responses to system-level DoS attack vectors in the DoS Device Configuration.
DNS and SIP flood (or DoS) attacks
Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension, or a particular SIP request type. The BIG-IP system allows you to track such attacks, using the DoS Protection profile.
DoS Sweep and Flood attacks
A sweep attack is a network scanning technique that sweeps your network by sending packets, and using the packet responses to determine responsive hosts. Sweep and Flood attack prevention allows you to configure system thresholds for packets that conform to typical sweep or flood attack patterns. This configuration is set in the DoS Device Configuration.
Malformed DNS packets
Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Malformed SIP packets
Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Protocol exploits
Attackers can send DNS requests using unusual DNS query types or OpCodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS OpCodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks. This configuration is set in the DNS Security profile.

About profiles for DoS and protocol service attacks

On your BIG-IP® system, you can use different types of profiles to detect and protect against system DoS attacks, to rate limit possible attacks, and to automatically blacklist IP addresses when identified as Bad Actors. You can configure settings for specific protocol attacks for DNS and SIP, and other network attacks.

DoS Protection profile
The DoS Protection profile allows you to configure several settings for DoS protection that you can configure for per-virtual-server DoS detection and prevention. With a DoS protection profile, you can configure several settings.
  • Define a source IP address whitelist, to allow addresses to pass through the DoS protection checks.
  • Define settings for DNS protocol error detection, which allows you to configure a percentage rate increase over time and a packets-per-second threshold to trigger logging, as well as a hard rate limit on DNS protocol error packets.
  • Define packet-per-second rate increases, percentage rate increases, and packet-per-second rate limiting for DNS record types.
  • Configure identification, rate limiting, and automatic blacklisting of Bad Actors by DNS query record type. Bad Actors are defined on a packet-per-second level, per record type.
  • Define settings for SIP protocol error detection, which allows you to configure a percentage rate increase over time and a packets-per-second threshold to trigger logging, as well as a hard rate limit on SIP protocol error packets.
  • Define specific packet-per-second rate increases, percentage rate increases, and packet-per-second rate limiting for SIP request methods.
  • Configure identification, rate limiting, and automatic blacklisting of Bad Actors by SIP request method. Bad Actors are defined on a packet-per-second level, per request method.
  • Configure identification, rate limiting, and automatic blacklisting of several known network attack types, according to various detection criteria.
DNS Protocol Security profile
The DNS Security profile is a separate profile that you specify in a DNS service profile, to provide security features. The DNS Security Profile allows you to configure the BIG-IP system to exclude (drop) or include (allow) packets of specific DNS query record types. You can also configure the profile to exclude (drop) the DNS QUERY header OpCode.
HTTP Protocol Security profile
The HTTP Security profile allows you to configure the BIG-IP system to perform HTTP protocol checks, HTTP request checks, and to present a blocking page if a check fails. You can attach an HTTP Security profile to a virtual server.
Important: You can only attach an HTTP security profile to a virtual server that is already configured with an HTTP profile.