Manual Chapter : Detecting and Protecting Against DoS DDoS and Protocol Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About detecting and protecting against DoS, DDoS, and protocol attacks

Attackers can target the BIG-IP® system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, SIP, and DNS attack routes. These DoS attack prevention methods are available when theBIG-IP® Advanced Firewall Manager™ is licensed and provisioned.

DoS and DDoS attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a machine or network resource unavailable to users. DoS attacks involve the efforts of one or more sources to disrupt the services of one or more hosts connected to the Internet.
With Advanced Firewall Manager, you can configure the system to automatically track traffic and CPU usage patterns over time, and adapt automatically to possible DoS attacks across a range of DoS vectors. You can initiate DoS detection for the whole system, and in profiles that are associated with specific virtual servers. Configure responses to system-level DoS attack vectors in the DoS Device Configuration.
Automatic threshold configuration is available for a range of non-error packet types on the AFM system. Use automatic thresholds to adapt responses to DoS attack vectors based on the traffic history on the system.
With AFM, you can also configure manual responses to DoS vectors. For non-error packets, you can specify absolute packet-per-second limits for attack detection (reporting and logging), percentage increase thresholds for detection, and absolute rate limits on a wide variety of packets that attackers can leverage as attack vectors.
You can also enable Bad Actor detection on a per-vector basis to identify IP addresses that engage in attacks where one IP address is targeting many destinations; the system can automatically blacklist Bad Actor IP addresses with specific thresholds and time limits. In addition, you can use Attacked Destination Detection to determine IP addresses that are being attacked from many sources (many to one attacks). The attacked addresses are added to a list and packets are rate limited to that attacked address.
DNS and SIP flood (or DoS) attacks
Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension, or a particular SIP request type. The BIG-IP system allows you to track such attacks, using the DoS Protection profile.
DoS Sweep and Flood attacks
A sweep attack is a network scanning technique that sweeps your network by sending packets, and using the packet responses to determine responsive hosts. Sweep and flood attack prevention allows you to configure system thresholds for packets that conform to typical sweep or flood attack patterns. This configuration is set in the DoS Device Configuration.
Malformed DNS packets
Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Malformed SIP packets
Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to configure how you track such attacks. This configuration is set in the DoS Protection profile.
Protocol exploits
Attackers can send DNS requests using unusual DNS query types or OpCodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS OpCodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks. This configuration is set in the DNS Security profile.

About profiles for DoS and protocol service attacks

On the BIG-IP® system, you can use different types of profiles to detect and protect against system DoS attacks, to rate limit possible attacks, and to automatically blacklist IP addresses when identified as Bad Actors. You can configure settings for specific protocol attacks for DNS and SIP, and other network attacks.

DoS Protection profile
With the DoS Protection profile you can configure settings for DoS protection that you can apply to a virtual server, to protect a specific application or server. You can configure the DoS profile to provide specific attack prevention at a more granular level than the Device DoS profile. In a DoS Profile, you can:
  • Configure automatic thresholds for each profile, and for specific DoS vectors, to allow the system to adjust the configuration for DoS attack detection automatically over time.
  • Define a source IP address whitelist, to allow legitimate addresses to pass through the DoS protection checks.
  • Define settings for DNS protocol error detection, which allows you to configure a percentage rate increase over time and a packets-per-second threshold to trigger logging, as well as a hard rate limit on DNS protocol error packets.
  • Define packet-per-second detection-limit, percentage rate increases, and packet-per-second rate limiting for DNS record types.
  • Define settings for SIP protocol error detection, which allows you to configure a percentage rate increase over time and a packets-per-second threshold to trigger logging, as well as a hard rate limit on SIP protocol error packets.
  • Define specific packet-per-second rate increases, percentage rate increases, and packet-per-second rate limiting for SIP request methods.
  • Configure identification, rate limiting, and automatic blacklisting of Bad Actors for supported attack vectors, according to various detection criteria.
  • Offload blacklisting of Bad Actor IP addresses to edge routers using BGP.
  • Configure identificaton, rate limiting, and classification of attacked destinations.
DNS Protocol Security Profile
The DNS Security Profile is a separate profile that you specify in a DNS service profile, to provide security features. The DNS Security Profile allows you to configure the BIG-IP system to exclude (drop) or include (allow) packets of specific DNS query record types. You can also configure the profile to exclude (drop) the DNS QUERY header OpCode.
HTTP Protocol Security Profile
The HTTP Security Profile allows you to configure the AFM system to perform HTTP protocol checks, HTTP request checks, and to present a blocking page if a check fails. You can attach an HTTP Security profile to a virtual server.
Important: You can attach an HTTP security profile only to a virtual server that is already configured with an HTTP profile.
SSH Proxy Protocol Security Profile
The SSH Proxy Security Profile allows you to configure the AFM system to allow or block SSH proxy commands, based on criteria including user name,