Applies To:

Show Versions Show Versions

Manual Chapter: Preventing Global DoS Sweep and Flood Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint sweep criteria, and exceed the rate limit, are dropped. You can also configure the sweep vector to automatically blacklist an IP address from which the sweep attack originates.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host, or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large amount of UDP packets, requiring the system to verify applications and send responses.

The flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped.

The BIG-IP® system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

You can configure DoS sweep and flood prevention through DoS Protection >Device Configuration > Network Security.

Task list

Detecting and protecting against single endpoint DoS flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Single-Endpoint category.
  3. Click Single Endpoint Flood.
    The Single Endpoint Flood Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. Select the Add Destination Address to Category check box to enable automatic blacklisting.
  8. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  9. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  10. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  12. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  13. Click the Update button.
    The flood attack configuration is updated on the Device Protection screen.
Now you have configured the system to provide protection against DoS flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically want to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against DoS sweep attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for DoS sweep attacks, and automatically blacklist IP addresses that you detect perpetrating such attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Single-Endpoint category.
  3. Click Single Endpoint Sweep.
    The Single Endpoint Sweep Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  6. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  8. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  9. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  10. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  11. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  12. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and click << to move them to the Selected list.
  13. Click the Update button.
    The sweep attack configuration is updated on the Device Protection screen.
Now you have configured the system to provide protection against DoS sweep attacks, to allow such attacks to be identified in system logs and reports, and to automatically add such attackers to a blacklist of your choice.
Configure flood attack prevention, and configure any other DoS responses, in the DoS device configuration. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Detecting and protecting against UDP flood attacks

With the DoS Protection Device Configuration screen settings, you can set detection thresholds and rate limits for UDP flood attacks.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Network Security .
    The Network Security screen opens to Device Configuration.
  2. In the Category column, expand the Flood category.
  3. Click UDP Flood.
    The UDP Flood Properties pane opens on the right side of the screen.
  4. On the Properties pane, for State, select Mitigate.
  5. For Threshold Mode, select Fully Manual.
  6. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  7. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack as long as the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  8. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  9. Select Simulate Auto Threshold to log the results of the current automatic thresholds, when enforcing manual thresholds.
  10. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  11. In the Per Source IP Detection Threshold EPS field, specify the number of events of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  12. In the Per Source IP Mitigation Threshold EPS field, specify the number of events of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  13. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  14. From the Category Name list, select a black list category to apply to automatically blacklisted addresses.
  15. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  16. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  18. Select Attacked Destination Detection to configure automatic blacklisting for attacked destination IP addresses.
  19. From the Port List Type list, select Include All Ports or Exclude All Ports.
    An Include list checks all the ports you specify in the Port List, using the specified threshold criteria, and ignores all others.
    An Exclude list excludes all the ports you specify in the Port List from checking, using the specified threshold criteria, and checks all others. To check all UDP ports, specify an empty exclude list.
  20. In the UDP Port List area, type a port number to add to an exclude or include UDP port list.
  21. In the UDP Port List area, select the mode for each port number you want to add to an exclude or include UDP port list.
    • None does not include or exclude the port.
    • Source only includes or excluded the port from source packets only.
    • Destination only includes or excludes the port for destination packets only.
    • Both Source and Destination includes or excludes the port in both source and destination packets.
  22. Click the Update button.
    The UDP Flood attack configuration is updated on the DoS Device Configuration screen.
You have now configured the system to provide customized protection against UDP flood attacks, and to allow such attacks to be identified in system logs and reports.
Configure sweep and flood attack prevention, and configure any other DoS responses, in the DoS device configuration screens. Configure whitelist entries for addresses that you specifically choose to bypass all DoS checks. Configure SNMP traps, logging, and reporting for DoS attacks, to track threats to your system.

Allowing addresses to bypass global DoS checks

You can specify whitelist addresses that the DoS Device Configuration do not subject to DoS checks. Whitelist entries are specified on a security address list, and can be configured directly on the Device DoS Configuration screen.
  1. On the Main tab, click Security > DoS Protection > Device Configuration > Properties .
    The DoS Protection Device Configuration screen opens.
  2. In the Whitelist Address List field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  3. To define an address list to use as a whitelist, on the right side of the screen in the Shared Objects pane, click the + next to Address Lists.
    The Address List Properties pane opens.
  4. Type a Name for the address list.
  5. Optionally, type a Description for the address list.
  6. In the Contents field, type an address, and click Add. Repeat this step to add all items you want on the whitelist.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  7. Click Update to update the address list.
    If this is a new address list, type and select the address list in the Whitelist Address List field.
  8. Click Commit Changes to System to commit the whitelist to the device configuration.
You have now specified a whitelist to bypass DoS checks for specific addresses globally.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)