Attackers can target the BIG-IP system in a number of ways. The BIG-IP system
addresses several possible DoS, DDoS, SIP, and DNS attack routes:
- DoS and DDoS attacks
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks attempt to render a
machine or network resource unavailable to users. DoS attacks require the efforts of one or
more people to disrupt the services of a host connected to the Internet. The Advanced Firewall Manager allows you to configure packet limits, percentage increase
thresholds, and absolute rate limits of a wide variety of packets that attackers leverage as
attack vectors, to detect and prevent attacks of this type.
- DNS and SIP flood (or DoS) attacks
- Denial-of-service (DoS) or flood attacks attempt to overwhelm a system by sending thousands
of requests that are either malformed or simply attempt to overwhelm a system using a
particular DNS query type or protocol extension, or a particular SIP request type. The BIG-IP
system allows you to track such attacks.
- Malformed DNS packets
- Malformed DNS packets can be used to consume processing power on the BIG-IP system, ultimately causing
slowdowns like a DNS flood. The BIG-IP system drops malformed DNS packets, and allows you to configure
how you track such attacks.
- Malformed SIP packets
- Malformed SIP request packets can be used to consume processing power on the BIG-IP system, ultimately
causing slowdowns like a SIP flood. The BIG-IP system drops malformed SIP packets, and allows you to
configure how you track such attacks.
- Protocol exploits
- Attackers can send DNS requests using unusual DNS query types or opcodes. The BIG-IP system can be
configured to allow or deny certain DNS query types, and to deny specific DNS opcodes. When you configure
the system to deny such protocol exploits, the system tracks these events as attacks.