Applies To:

Show Versions Show Versions

Manual Chapter: About Detecting and Protecting Against DoS DDoS and DNS Service Attacks
Manual Chapter
Table of Contents   |   Next Chapter >>

About detecting and protecting against DoS, DDoS, and DNS service attacks

Attackers can target the BIG-IP system in a number of ways. The BIG-IP system addresses several possible DoS, DDoS, and DNS attack routes:

DoS and DDoS attacks
Denial of service (DoS) and distributed denial of service (DDoS) attacks attempt to render a machine or network resource unavailable to users. Denial of service attacks require the efforts of one or more people to disrupt the services of a host connected to the Internet. The Advanced Firewall Module allows you to configure packet limits, percentage increase thresholds, and absolute rate limits of a wide variety of packets that attackers leverage as attack vectors, to detect and prevent attacks of this type.
DNS flood (DoS) attacks
Denial of service (DoS) or flood attacks attempt to overwhelm a system by sending thousands of requests that are either malformed or simply attempt to overwhelm a system using a particular DNS query type or protocol extension. The BIG-IP system allows you to track such attacks.
Malformed DNS packets
Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks.
Protocol exploits
Attackers can send DNS requests using unusual DNS query types or opcodes. The BIG-IP system can be configured to allow or deny certain DNS query types, and to deny specific DNS opcodes. When you configure the system to deny such protocol exploits, the system tracks these events as attacks.

About profiles for DoS and DNS service attacks

On your BIG-IP system, you can use two profiles, both enabled by the Protocol Security Manager module, to detect and protect against DNS attacks.

DoS protection profile
Allows you to configure the response thresholds on the BIG-IP system for malformed DNS packets. Malformed packets are dropped by the system. The DoS protection profile also allows you to configure the threshold increase of packets of specific DNS query types. You can use SNMP alerts generated by these items, and information reported in realtime reports and in system logs, to mitigate a specific DNS query type attack; for example, by blocking it with the DNS security profile.
DNS security profile
Allows you to configure the BIG-IP system to exclude (drop) or include (allow) packets of specific DNS query types. You can also configure the profile to drop specific DNS header opcodes.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)