Manual Chapter : Configuring DoS Policy Switching

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Configuring DoS policy switching

You can configure the BIG-IP® system to protect against Layer 7 DoS attacks applying unique profiles in different situations, or on different types of traffic.

In this example, you configure DoS protection for Layer 7 by creating two DoS profiles with Application Security enabled. You associate the DoS profiles with virtual servers representing the applications that you want to protect. You also create a local traffic policy with rules that assign different DoS protections depending on the traffic. Then you associate the local traffic policy with the virtual servers.

This example divides traffic into three categories:

  • Employees: A unique DoS profile, assigned to employees, reports DoS attacks but does not drop connections when there is an attack.
  • Internal users: No DoS protection is applied to internal users.
  • Others: The strictest DoS protection is applied using the default DoS profile for all other users; the system blocks DoS attacks that occur on other traffic.

Many other options are available for configuring DoS policy switching. This is simply one way to illustrate how you can configure multiple DoS protections using a local traffic policy to determine different conditions and actions. By following the steps in this example, you can see the other options that are available on the screens, and can adjust the example for your needs.

Task Summary

About DoS protection and local traffic policies

To provide additional flexibility for configuring DoS protection, you can use local traffic policies together with DoS protection. The advantage of creating local traffic policies is that you can apply multiple DoS protection policies to different types of traffic, using distinct DoS profiles. However, you need to be aware of certain considerations when using this method.

Local traffic policies can include multiple rules. Each rule consists of a condition and a set of actions to be performed if the respective condition holds. So you can create a local traffic policy that controls Layer 7 DoS protection and includes multiple rules. If you do, every rule must include one of the following Layer 7 DoS actions:

  • Enable DoS protection using the default DoS profile (/Common/dos)
  • Enable DoS protection from a specific DoS profile
  • Disable DoS protection
Important: Make sure that the local traffic policy with DoS protection includes a default rule with no condition that applies to traffic that does not match any other rule. In addition, be sure that each rule (including the default one), has an L7  DoS action in it, possibly in addition to other actions.

A default rule is required because the local traffic policy action applies not only to the request that matched the condition, but also to the following requests in the same TCP connection, even if they do not match the condition that triggered the action unless subsequent requests on the same connection match a different rule with a different L7 DoS action.

This requirement ensures that every request will match some rule (even the default one), and will trigger a reasonable Layer 7 DoS action. This way a request will not automatically enforce the action of the previous request on the same connection, which can yield unexpected results.

A typical action for the default rule in case of Layer 7 DoS is to create a rule with no condition and simply enable DoS protection. In this case, the action the rule takes is to use the DoS policy attached to the virtual server. In the example of configuring DoS policy switching, the third rule, others, is the default rule.

Creating a DoS profile for Layer 7 traffic

To define the circumstances under which the system considers traffic to be a Denial of Service (DoS attack), you create a DoS profile. For the DoS policy switching example, you can create a special DoS profile, for employees, that does not block traffic. It only reports the DoS attack.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. In the Name field, typeemployee_l7dos_profile for the profile, then click Finished.
  4. In the list of DoS profiles, click the name of the profile you just created, and click the Application Security tab.
  5. On the left, under Application Security, click General Settings, and ensure that Application Security is enabled.
    The screen displays additional settings.
  6. On the left, under Application Security, click TPS-based Detection.
    The screen displays TPS-based DoS Detection settings.
  7. For Operation Mode, select the option to determine how the system reacts when it detects a DoS attack.
    Option Description
    Transparent Displays data about DoS attacks on the DoS reporting screens, but does not block requests, or perform any of the mitigations.
    Blocking Applies the necessary mitigation steps to suspicious IP addresses, geolocations, URLs, or the entire site. Also displays information about DoS attacks on the DoS reporting screens.
    Select Off to turn this type of DoS Detection off.
    The screen displays additional configuration settings when you select an operation mode.
  8. Use the default values for the other settings.
  9. Click Update to save the DoS profile.
You have now created a simple DoS profile to report DoS attacks based on transaction rates using TPS-based DoS protection.

Modifying the default DoS profile

The BIG-IP® system includes a default DoS profile that you can modify to specify when to use DoS protection. For the DoS policy switching example, you can modify the default DoS profile and use it for people other than employees or internal users who are accessing applications. This example creates a strict default DoS profile that drops requests considered to be an attack.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click the profile called dos, and click the Application Security tab.
    The DoS Profile Properties screen opens.
  3. On the left, under Application Security, click General Settings, and ensure that Application Security is enabled.
    The screen displays additional settings.
  4. On the left, under Application Security, click TPS-based Detection.
    The screen displays TPS-based DoS Detection settings.
  5. In the TPS-based DoS Detection settings, ensure that the Operation Mode is set to Blocking.
  6. On the left, under Application Security, click Behavioral & Stress-based Detection.
    The screen displays Behavioral & Stress-based DoS Detection settings.
  7. In the Behavioral & Stress-based Detection settings, edit the Operation Mode, and select Blocking.
  8. Use the default values for the other settings.
  9. Click Update to save the DoS profile.
You have now modified the default DoS profile that will be used for people other than employees or internal users. For these users, the system drops connections from attacking IP addresses, and for requests directed to attacked URLs.

Creating a local traffic policy for DoS policy switching

You can create a local traffic policy to impose different levels of DoS protection on distinct types of Layer 7 traffic.
  1. On the Main tab, click Local Traffic > Policies .
  2. Click Create.
    The New Policy screen opens.
  3. In the Policy Name field, type a name for the local traffic policy.
  4. From the Strategy list, select first.
    The system applies the first rule that matches the criteria specified.
  5. If you see a Type setting, leave it set to Traffic Policy.
  6. Click Create Policy to create the local traffic policy.
  7. Click Save Draft to save the local traffic policy.
You have now created a draft local traffic policy, but it does not direct traffic yet.
Next, you need to add rules to the local traffic policy to specify the DoS protection that should occur for different types of Layer 7 traffic.

Creating policy rules for DoS policy switching

Before you can add rules to the local traffic policy, you need to have created the policy, and it must be in draft form. For this example, you need two DoS profiles that enable Application Security and perform DoS protection: one for employees, employee_l7dos_profile, and another for other people accessing the system not internally (enable Application Security on the default dos profile).
You can add rules to define conditions and perform specific actions for different types of Layer 7 traffic. This example creates three rules to implement different DoS protection for employees, for internal personnel, and for others.
  1. On the Main tab, click Local Traffic > Policies .
  2. Click the name of the draft local traffic policy that you want to control Layer 7 DoS.
  3. In the Rules area, click Create.
    The New Rule screen opens.
  4. Create a rule to define DoS protection for employees:
    1. In the Name field, type the name employees.
    2. In the Match all of the following conditions area, click +.
    3. In the same area, from the lists, select HTTP Host, host, and ends with; then, after any of, in the lower field, type employee.my_host.com, and click Add.
    4. To specify a unique DoS profile for employees, in the Do the following when the traffic is matched area, select Enable, l7dos, then after from profile, select employee_l7dos_profile (or a previously created custom DoS profile).
    5. Click Save to add the rule to the policy.
  5. Create a rule to define DoS protection for internal personnel:
    1. In the Name field, type the name internal.
    2. In the Match all of the following conditions area, click +.
    3. In the same area, from the lists select HTTP Host, host, and ends with; then, after any of, in the lower field, type internal.my_host.com, and click Add.
    4. To turn off DoS protection for employees working internally, in the Do the following when the traffic is matched area, select Disable and l7dos.
    5. Click Save to add the rule to the policy.
  6. Create a rule to define DoS protection for anyone else not handled by the first two rules:
    1. In the Name field, type the name others.
    2. Leave Match all of the following conditions set to All traffic.
    3. To specify DoS protection for all others, in the Do the following when the traffic is matched area, select Enable, l7dos, then after from profile, select dos (or a previously created custom DoS profile).
    4. Click Save to add the rule to the policy.
    This last rule is the default rule, which applies if the other two rules do not apply. If you do not include a rule like this, and traffic does not match any other rule, the previous rule that was applied is used again.
  7. Click Save Draft to save the draft local traffic policy with the rules.
    The Policy List Page opens.
  8. Select the check box next to the draft policy you edited, and click Publish.
You have now created and published a local traffic policy that defines DoS protection for employees, for internal traffic, and for others.
Next, you need to associate the DoS profiles and the local traffic policy with the virtual server that connects to the application server you are protecting.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the virtual server requires an HTTP profile (such as the default http).
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, from the Security menu, choose Policies.
  4. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  5. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Associating a published local traffic policy with a virtual server

After you publish a local traffic policy, you associate that published policy with the virtual server created to handle application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Resources.
  4. In the Policies area, click the Manage button.
  5. For the Policies setting, select the local traffic policy you created from the Available list and move it to the Enabled list.
  6. Click Finished.
The published policy is associated with the virtual server.

Implementation results

When you have completed the steps in this implementation, you have configured the Application Security Manager™ to protect against Layer 7 DoS attacks. By using a local traffic policy, you distinguished between three types of traffic: employees, internal users, and others.

The first rule in the local traffic policy identifies employees by the last line of the host header in the request, which says employee.my_host.com. You created a special DoS profile for employees that reports transaction-based DoS attacks but does not drop connections.

The second rule in the local traffic policy identifies internal users by the last line of the host header in the request, which says internal.my_host.com. In the policy, you specified that there should be no DoS protection for internal users.

A third rule acts as the default rule and applies to any traffic that was not identified by the first two rules. All other traffic uses the default DoS profile (dos) assigned on the Security tab of the virtual server where traffic is directed to the application. You modified the default DoS profile to block transaction-based and server stress-based DoS attacks that the system detects.

After creating the local traffic policy with Layer 7 DoS rules, you also associated it with the virtual server. Different types of traffic directed to the virtual server now have distinct DoS protections assigned to them.