Manual Chapter : Detecting and Preventing System DoS and DDoS Attacks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

DoS and DDoS attack detection and prevention is enabled by the BIG-IP® Advanced Firewall Manager™ (AFM™) Device DoS Configuration for system-wide DoS protection, and by DoS Profiles for virtual servers. DoS detection features allow you to detect possible attacks on the system and on particular applications, and to rate limit possible attack vectors. AFM also enables further attack mitigation, including automatic identification and blacklisting of attacking IP addresses, and automatic configuration of DoS attack vector thresholds based on system analysis. DoS detection and prevention features are enabled with an Advanced Firewall Manager license, which also includes protocol DoS detection support that can be configured on a per-virtual-server basis.

  • At the virtual server level, detect malicious or malformed DNS and SIP protocol errors, and report anomalies by percentage increase, or by absolute packets per second.
  • At the virtual server level, rate limit malicious or malformed DNS and SIP protocol error packets.
  • At the virtual server level and system-wide, manually configure detection of potential DoS vector attacks by rate increase or absolute packets per second, and rate limit or leak limit such packets.
  • System-wide, automatically detect potential attacks across a wide range of DoS attack vectors, and rate limit or leak limit such packets,
  • At the virtual server level, detect repeat attackers for SIP, DNS, and other attack vectors and automatically blacklist their IP addresses, with configurable thresholds and blacklist duration.
  • System-wide, detect repeat attackers for a wide range of attack vectors and automatically blacklist their IP addresses, with configurable thresholds and blacklist duration.
  • At the virtual server level and system-wide, advertise blacklisted IP addresses to BGP routers, per DoS vector and per IP intelligence category. With this option, once an IP address is identified for blacklisting, all further blacklisting of IP addresses is handled by upstream routers, until the blacklist entry is automatically removed.

Task list

Detecting and protecting against system-wide DoS and DDoS attacks

The BIG-IP® system handles DoS and DDoS attacks with preconfigured responses. With DoS Protection Device Configuration, you can automatically or manually set detection thresholds and internal rate or leak limits for a range of DoS and DDoS attack vectors.
Note: Not all settings apply to all DoS vectors. For example, some vectors cannot use automatic thresholds, and some vectors cannot be automatically blacklisted.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Properties .
    The DoS Protection Device Configuration screen opens.
  2. From the Log Publisher list, select the destination to which the BIG-IP system sends DoS and DDoS logs.
    You can review, create, and update log publishers in System > Logs > Configuration > Log Publishers .
  3. Configure the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  4. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  5. For Relearn, click Start Relearning to start relearning auto thresholds.
    Auto thresholds are calculated from the system start. If you have made changes to the system since then, and want the system to adjust automatic DoS thresholds because of these changes, use this option.
  6. To specify a system-wide DoS address list containing addresses that do not need to be checked for DoS attacks, type the name of the list in the Whitelist Address List field.
    Note: Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
  7. To apply a system-wide rich DoS whitelist, click Add Whitelist, and type the information to define the packets to allow.
    You can define up to eight rich whitelists.
  8. At the top of the screen, from Device Configuration, choose Network Security, DNS Security, and SIP Security to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
    Note: Network Security vectors are listed in categories to make the list more manageable. Click the + next to a category to expand it.
  9. To enable (or disable) auto thresholds for one or more attack types, select the check box next to the vector name or names, and from the Set Threshold button at the bottom of the screen, select Fully-automatic. Select Manual to disable auto thresholds and set properties manually.
    Note: To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
    Tip: You can select all vectors by clicking the check box at the top of the list. However, some vectors do not support automatic thresholds. Deselect these vectors before you select Fully-automatic to avoid an error.
  10. Similarly, to set the state for one or more attack types, select the check box next to the vector name or names, and from the Set State list at the bottom of the screen, select Mitigate, Detect Only, or Disable.
    The state you click is set for all selected vectors.
  11. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  12. To enforce the DoS vector, make sure the State is set to Mitigate (watch, learn, alert, and mitigate) .
    Other options allow you to Detect Only (watch, learn, and alert) or Learn Only (collect stats, no mitigation),
    CAUTION:
    For most DoS vectors, you want to enforce the vector, which is the default setting. Set a vector to Disabled (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  13. Set the Threshold Mode for the vector.
    • If the attack allows automatic threshold configuration, you can select Fully Automatic or Manual Detection/Auto Mitigation to configure automatic or partially automatic thresholds.
    • To configure thresholds manually, click Fully Manual.
  14. Adjust the other settings for the DoS vector for fully automatic, partially maual, or fully manual threshold configuration.
  15. Click the Update button.
    The selected configuration is updated, and the changes appear on the Device Configuration screen.
  16. Repeat the previous steps for any other attack types for which you want to change the configuration.
You have now configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports.
Next, you can configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Automatically detecting and protecting against system-wide DoS and DDoS attacks

The BIG-IP® system handles DoS and DDoS attacks with preconfigured responses. With the DoS Protection Device Configuration, you can automatically or manually set detection thresholds and internal rate or leak limits for a range of DoS and DDoS attack vectors. Use this task to configure automatic thresholds for the system, and for adjusting individual DoS vectors.
Note: Not all settings apply to all DoS vectors. For example, some vectors do not support automatic thresholds, and some vectors do not include bad actor detection or automatic blacklisting.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Properties .
    The DoS Protection Device Configuration screen opens.
  2. From the Log Publisher list, select the destination to which the BIG-IP system sends DoS and DDoS logs.
    You can review, create, and update log publishers in System > Logs > Configuration > Log Publishers .
  3. Configure the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  4. From the Eviction Policy list, select the eviction policy to apply globally.
    Note: The global context requires an eviction policy. If you do not apply a custom eviction policy, the system default policy, default-eviction-policy is applied and selected in this field.
  5. For Relearn, click Start Relearning to start relearning auto thresholds.
    Auto thresholds are calculated from the system start. If you have made changes to the system since then, and want the system to adjust automatic DoS thresholds because of these changes, use this option.
  6. To specify a system-wide DoS address list containing addresses that do not need to be checked for DoS attacks, type the name of the list in the Whitelist Address List field.
    Note: Available address lists appear on the right side of the screen, in the Shared Objects pane. You can view, edit, and add address lists there.
  7. To apply a system-wide rich DoS whitelist, click Add Whitelist, and type the information to define the packets to allow.
    You can define up to eight rich whitelists.
  8. At the top of the screen, from Device Configuration, choose Network Security, DNS Security, and SIP Security to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
    Note: Network Security vectors are listed in categories to make the list more manageable. Click the + next to a category to expand it.
  9. To enable auto thresholds for one or more attack types, select the check box next to the vector name or names, and from the Set Threshold button at the bottom of the screen, select Fully-automatic.
    Note: To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
    Tip: You can select all vectors by clicking the check box at the top of the list. However, some vectors do not support automatic thresholds. Deselect these vectors before you select Fully-automatic to avoid an error.
  10. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  11. To enforce the DoS vector, make sure the State is set to Mitigate (watch, learn, alert, and mitigate) .
    Other options allow you to Detect Only (watch, learn, and alert) or Learn Only (collect stats, no mitigation),
    CAUTION:
    For most DoS vectors, you want to enforce the vector, which is the default setting. Set a vector to Disabled (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  12. For Threshold Mode, select Fully Automatic.
    Note: You cannot configure automatic thresholds for every DoS vector. In particular, for error packets you can manually specify only Detection Threshold EPS, Detection Threshold Percent, and the Mitigation Threshold EPS.
    Note: If automatic thresholds are available, you can configure automatic thresholds, partially manual, or manual thresholds for that DoS vector. When you select one configuration setting, the options for the other setting no longer appear.
  13. In the Attack Floor EPS field, specify the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.

    Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.

  14. In the Attack Ceiling EPS field, specify the absolute maximum allowable for events of this type, before automatically calculated thresholds are determined.
    Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
  15. If the vector includes other settings, such as Bad Actor Detection and Attacked Destination Detection, configure them as needed. If using automatic blacklisting with Bad Actor Detection, be sure to assign a global IP intelligence policy to the device ( Security > Network Firewall > IP Intelligence > Policies ).
  16. Click the Update button.
    The selected vector is updated, and the DoS Protection Device Configuration screen refreshes.
  17. Repeat the previous steps for any other attack types for which you want to change the configuration.
Now you have configured the system to automatically detect and respond to possible DoS and DDoS attacks, and to identify such attacks in system logs and reports.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Configuring manual thresholds for DoS and DDoS vectors

You manually configure thresholds for a DoS vector when you want to configure specific settings, or when the vector does not allow automatic threshold configuration.
Note: Not all settings apply to all DoS vectors. For example, some vectors cannot be automatically blacklisted.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Properties .
    The DoS Protection: Device Configuration Properties screen opens.
  2. At the top of the screen, from Device Configuration, choose Network Security, DNS Security, and SIP Security to configure relevant attack responses per vector.
    The screen displays all the available attack vectors for the given type.
    Note: Network Security vectors are listed in categories to make the list more manageable. Click the + next to a category to expand it.
  3. In the Attack Type column, click the name of any attack type to edit the settings.
    The attack settings appear on the right, in the Properties pane.
  4. For Threshold Mode, select Fully Manual.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  8. To log traffic that the system identifies as a DoS attack according to the automatic thresholds, enable Simulate Auto Threshold.
    Note: This setting applies only to vectors that can be configured for automatic thresholds. It allows you to see the results of automatic thresholds on the selected DoS vector without actually affecting traffic. When you enable this setting, the current system-computed thresholds for automatic thresholds are displayed for this vector. Automatic thresholds are not applied to packets unless the Threshold Mode is changed for the vector.
  9. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  10. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  11. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  12. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  13. Specify the Sustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
  14. To change the duration for which the address is blacklisted, specify the duration in seconds in the Category Duration Time field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  15. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  16. To set thresholds for attacked destinations, select Attacked Destination Detection.
    1. In the Per Destination IP Detection Threshold EPS field, specify the number of events per second that IP source as a bad actor, for purposes of attack detection and logging.
    2. In the Per Destination IP Mitigation Threshold EPS field, specify the number of events per second headed to one IP address, above which rate limiting occurs.
    3. To automatically blacklist bad actor IP addresses, select Add Destination Address to Category.
      For DoS protection, the blacklist category is set to denial_of_service automatically.
    4. Specify the Sustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
    5. To set the duration the destination address remains blacklisted, specify the Category Duration Time in seconds. The default is 900 seconds.
    6. To allow destination IP blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
  17. Click the Update button.
    The selected configuration is updated, and the DoS Protection Device Configuration screen opens again.
  18. Repeat the previous steps for any other attack types for which you want to manually configure thresholds.
Now you have configured the system to provide custom responses to possible DoS and DDoS attacks, and to allow such attacks to be identified in system logs and reports, rate-limited, and blacklisted when specified.
Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system. Configure a Blacklist Publisher, if necessary, to advertise routes for blacklist entries.

Device DoS attack types

You can specify particular auto or manual thresholds, rate increases, rate limits, enforcement, and other parameters for supported device DoS attack types, to more accurately detect, track, and rate limit attacks.

Important: All hardware-supported vectors are performed in hardware on vCMP® guests, provided that the vCMP guests have the same software version as the vCMP host.

Network Security vectors

DoS category Attack name Dos vector name Information Hardware accelerated
Flood Ethernet Broadcast Packet ether-brdcst-pkt Ethernet broadcast packet flood Yes
Flood Ethernet Multicast Packet ether-multicst-pkt Ethernet destination is not broadcast, but is multicast Yes
Flood ARP Flood arp-flood ARP packet flood Yes
Flood IP Fragment Flood ip-frag-flood Fragmented packet flood with IPv4 Yes
Flood IGMP Flood igmp-flood Flood with IGMP packets (IPv4 packets with IP protocol number 2) Yes
Flood Routing Header Type 0 routing-header-type-0 Routing header type zero is present in flood packets Yes
Flood IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6 No
Flood IGMP Fragment Flood igmp-frag-flood Fragmented packet flood with IGMP protocol Yes
Flood TCP SYN Flood tcp-syn-flood TCP SYN flood Yes
Flood TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood Yes
Flood TCP RST Flood tcp-rst-flood TCP RST flood Yes
Flood TCP Window Size tcp-window-size The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. Yes
Flood ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets Yes
Flood ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets Yes
Flood UDP Flood udp-flood UDP flood attack Yes
Flood TCP SYN Oversize tcp-syn-oversize Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value . The default size is 64 and the maximum allowable value is 9216. Yes
Flood TCP Push Flood tcp-push-flood TCP push packet flood Yes
Flood TCP BADACK Flood tcp-ack-flood TCP ACK packet flood No
Bad Header - L2 Ethernet MAC Source Address == Destination Address ether-mac-sa-eq-da Ethernet MAC source address equals the destination address Yes
Bad Header - IPv4 Bad IP Version bad-ver The IPv4 address version in the IP header is not 4 Yes
Bad Header - IPv4 Header Length Too Short hdr-len-too-short IPv4 header length is less than 20 bytes Yes
Bad Header - IPv4 Header Length > L2 Length hdr-len-gt-l2-len No room in layer 2 packet for IP header (including options) for IPv4 address Yes
Bad Header - IPv4 L2 Length >> IP Length l2-len-ggt-ip-len Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size Yes
Bad Header - IPv4 No L4 no-l4 No layer 4 payload for IPv4 address Yes
Bad Header - IPv4 Bad IP TTL Value bad-ttl-val Time-to-live equals zero for an IPv4 address Yes
Bad Header - IPv4 TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. Yes
Bad Header - IPv4 IP Error Checksum ip-err-chksum The header checksum is not correct Yes
Bad Header - IPv4 IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. Yes
Bad Header - IPv4 Bad Source ip-bad-src The IPv4 source IP = 255.255.255.255 or 0xe0000000U Yes
Bad Header - IPv4 IP Option Illegal Length bad-ip-opt Option present with illegal length No
Bad Header - IPv4 Unknown Option Type unk-ipopt-type Unknown IP option type No
Bad Header - IGMP Bad IGMP Frame bad-igmp-frame IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. Yes
Fragmentation IP Fragment Too Small ip-short-frag IPv4 short fragment error Yes
Fragmentation IPv6 Fragment Too Small ipv6-short-frag IPv6 short fragment error Yes
Fragmentation IPV6 Atomic Fragment ipv6-atomic-frag IPv6 Frag header present with M=0 and FragOffset =0 Yes
Fragmentation ICMP Fragment icmp-frag ICMP fragment flood Yes
Fragmentation IP Fragment Error ip-other-frag Other IPv4 fragment error Yes
Fragmentation IPV6 Fragment Error ipv6-other-frag Other IPv6 fragment error Yes
Fragmentation IP Fragment Overlap ip-overlap-frag IPv4 overlapping fragment error No
Fragmentation IPv6 Fragment Overlap ipv6-overlap-frag IPv6 overlapping fragment error No
Bad Header - IPv6 Bad IPV6 Version bad-ipv6-ver The IPv6 address version in the IP header is not 6 Yes
Bad Header - IPv6 IPV6 Length > L2 Length ipv6-len-gt-l2-len IPv6 address length is greater than the layer 2 length Yes
Bad Header - IPv6 Payload Length < L2 Length payload-len-ls-l2-len Specified IPv6 payload length is less than the L2 packet length Yes
Bad Header - IPv6 Too Many Extension Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. Yes
Bad Header - IPv6 IPv6 duplicate extension headers dup-ext-hdr An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header Yes
Bad Header - IPv6 IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. Yes
Bad Header - IPv6 No L4 (Extended Headers Go To Or Past End of Frame) l4-ext-hdrs-go-end Extended headers go to the end or past the end of the L4 frame Yes
Bad Header - IPv6 Bad IPV6 Hop Count bad-ipv6-hop-cnt Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad Yes
Bad Header - IPv6 IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. Yes
Bad Header - IPv6 IPv6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames Yes
Bad Header - IPv6 IPv6 extended headers wrong order bad-ext-hdr-order Extension headers in the IPv6 header are in the wrong order Yes
Bad Header - IPv6 Bad IPv6 Addr ipv6-bad-src IPv6 source IP = 0xff00:: Yes
Bad Header - IPv6 IPv4 Mapped IPv6 ipv4-mapped-ipv6 IPv4 address is in the lowest 32 bits of an IPv6 address. Yes
Bad Header - TCP TCP Header Length Too Short (Length < 5) tcp-hdr-len-too-short The Data Offset value in the TCP header is less than five 32-bit words Yes
Bad Header - TCP TCP Header Length > L2 Length tcp-hdr-len-gt-l2-len   Yes
Bad Header - TCP Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type Yes
Bad Header - TCP Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length Yes
Bad Header - TCP TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header Yes
Bad Header - TCP Bad TCP Checksum bad-tcp-chksum The TCP checksum does not match Yes
Bad Header - TCP Bad TCP Flags (All Flags Set) bad-tcp-flags-all-set Bad TCP flags (all flags set) Yes
Bad Header - TCP Bad TCP Flags (All Cleared) bad-tcp-flags-all-clr Bad TCP flags (all cleared and SEQ#=0) Yes
Bad Header - TCP SYN && FIN Set syn-and-fin-set Bad TCP flags (SYN and FIN set) Yes
Bad Header - TCP FIN Only Set fin-only-set Bad TCP flags (only FIN is set) Yes
Bad Header - TCP TCP Flags - Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious Yes
Bad Header - ICMP Bad ICMP Checksum bad-icmp-chksum An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet Yes
Bad Header - ICMP Bad ICMP Frame bad-icmp-frame The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6 types. Valid IPv4 types:
  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded
  • 12 Parameter Problem
  • 13 Timestamp
  • 14 Timestamp Reply
  • 15 Information Request
  • 16 Information Reply
  • 17 Address Mask Request
  • 18 Address Mask Reply
Valid IPv6 types:
  • 1 Destination Unreachable
  • 2 Packet Too Big
  • 3 Time Exceeded
  • 4 Parameter Problem
  • 128 Echo Request
  • 129 Echo Reply
  • 130 Membership Query
  • 131 Membership Report
  • 132 Membership Reduction
Yes
Bad Header - ICMP ICMP Frame Too Large icmp-frame-too-large The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. Yes
Bad Header - UDP Bad UDP Header (UDP Length > IP Length or L2 Length) bad-udp-hdr UDP length is greater than IP length or layer 2 length Yes
Bad Header - UDP Bad UDP Checksum bad-udp-chksum The UDP checksum is not correct Yes
Other Host Unreachable host-unreachable Host unreachable error Yes
Other TIDCMP tidcmp ICMP source quench attack Yes
Other LAND Attack land-attack Source IP equals destination IP address Yes
Other IP Unknown protocol ip-unk-prot Unknown IP protocol No
Other TCP Half Open tcp-half-open The number of new or untrusted TCP connections that can be established. Overrides the Global SYN Check threshold in Configuration > Local Traffic > General. No
Other IP uncommon proto ip-uncommon-proto Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. Yes
Bad Header - DNS DNS Oversize dns-oversize Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192. Yes
Single Endpoint Single Endpoint Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. No
Single Endpoint Single Endpoint Flood flood Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. No
Bad Header-SCTP Bad SCTP Checksum bad-sctp-checksum Bad SCTP packet checksum No

DNS Security vectors

The system tracks and rate limits all UDP DNS packets (excluding those whitelisted). TCP DNS packets are also tracked but only for the DNS requests that reach a virtual server that has a DNS profile associated with it.

For vectors where VLAN is <tunable>, you can tune this value in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.

DoS category Attack name Dos vector name Information Hardware accelerated
DNS DNS A Query dns-a-query DNS Query, DNS Qtype is A_QRY, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS AAAA Query dns-aaaa-query DNS Query, DNS Qtype is AAAA, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS Any Query dns-any-query DNS Query, DNS Qtype is ANY_QRY, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS AXFR Query dns-axfr-query DNS Query, DNS Qtype is AXFR, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS CNAME Query dns-cname-query DNS Query, DNS Qtype is CNAME, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS IXFR Query dns-ixfr-query DNS Query, DNS Qtype is IXFR, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS Malformed dns-malformed Malformed DNS packet Yes
DNS DNS MX Query dns-mx-query DNS Query, DNS Qtype is MX, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS NS Query dns-ns-query DNS Query, DNS Qtype is NS, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS OTHER Query dns-other-query DNS Query, DNS Qtype is OTHER, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS PTR Query dns-ptr-query DNS Query, DNS Qtype is PTR, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS Question Items != 1 dns-qdcount-limit DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question. Yes
DNS DNS Response Flood dns-response-flood UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS SOA Query dns-soa-query DNS Query, DNS Qtype is SOA_QRY, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS SRV Query dns-srv-query DNS Query, DNS Qtype is SRV, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes
DNS DNS TXT Query dns-txt-query DNS Query, DNS Qtype is TXT, VLAN is <tunable> in tmsh using dos.dnsvlan. Yes

SIP Security vectors

DoS category Attack name Dos vector name Information Hardware accelerated
SIP SIP ACK Method sip-ack-method SIP ACK packets Yes
SIP SIP BYE Method sip-bye-method SIP BYE packets Yes
SIP SIP CANCEL Method sip-cancel-method SIP CANCEL packets Yes
SIP SIP INVITE Method sip-invite-method SIP INVITE packets Yes
SIP SIP Malformed sip-malformed Malformed SIP packets Yes
SIP SIP MESSAGE Method sip-message-method SIP MESSAGE packets Yes
SIP SIP NOTIFY Method sip-notify-method SIP NOTIFY packets Yes
SIP SIP OPTIONS Method sip-options-method SIP OPTIONS packets Yes
SIP SIP OTHER Method sip-other-method Other SIP method packets Yes
SIP SIP PRACK Method sip-prack-method SIP PRACK packets Yes
SIP SIP PUBLISH Method sip-publish-method SIP PUBLISH packets Yes
SIP SIP REGISTER Method sip-register-method SIP REGISTER packets Yes
SIP SIP SUBSCRIBE Method sip-subscribe-method SIP SUBSCRIBE packets Yes
SIP SIP URI Limit sip-uri-limit Packets that exceed the SIP URI limit Yes