Manual Chapter : Managing DoS Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About DoS profiles

A denial-of-service attack (DoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites.

Using Shared Security, you can configure profiles to help prevent network, SIP, and DNS DoS and DDoS attacks, and to detect and protect against DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic).

Create DoS profiles

You can create a DoS profile and configure the circumstances under which the system considers traffic to be a DoS attack, and how the system handles a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click Create.
  3. In the New DoS Profile screen, add and set the properties as appropriate.
    Property Description
    Name Required. Specify a unique name for the DoS profile.
    Description Specify an optional description for the DoS profile.
    Partition Required. Specify the partition to which the DoS profile belongs. You can replace the default Common partition when creating DoS profiles by typing a unique name for a new partition.
    Note: The partition with that name must already exist on the BIG-IP® device. No whitespace is allowed in the partition name.
    Source IP Address Whitelist Specifies the configuration of the Source IP address white list. This property is not used with the Application Security protection type, and cannot be modified by the BIG-IQ Centralized Management system.
  4. Select a DoS protection type from the list on the left.
    Option Description
    Application Security Click Application Security > Properties , then select the Application Securitycheck box, Enabled.

    When enabled, this protects your web application against DoS attacks. Your virtual server must include an HTTP profile to use this feature. Supply or modify any necessary property values.

    Protocol DNS Click Protocol DNS, then select the Protocol DNS Protection check box, Enabled.

    When enabled, this protects your DNS server against DoS attacks. Note that your virtual server must include a DNS profile to work with this feature. Supply or modify any necessary property values.

    Protocol SIP Click Protocol SIP, then select the Protocol SIP Protectioncheck box, Enabled.

    When enabled, this protects against SIP DoS attacks. Note that your virtual server must include a SIP profile to work with this feature.

    Network Click Network, then select the Network Protection check box, Enabled.

    When enabled, this protects your server against network DoS attacks. Supply or modify any necessary property values.

  5. When you are finished, click Save to save the DoS profile, or click Save & Close to save the DoS profile and return to the DoS Profiles screen.
The new DoS profile is added to the list of profiles.

Configure for application security

Your virtual server must include an HTTP profile to use this feature.
You can configure the conditions under which the system determines your application is under a DoS attack, and how the system reacts to a suspected attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name to configure.
  3. Click Application Security on the left to expand the list.
  4. Click Properties to display the General Settings screen. Configure the application general settings as described.
    Property Description
    Application Security Select Enabled to use application security protection and display additional properties.
    IP Address Whitelist Specifies IP addresses that the system considers legitimate and does not examine when performing DoS prevention.
    • To add an IP address to the whitelist, type it in the IP Address/Prefix field, and click Add.
    • To delete an IP address from the whitelist, select an IP address in the IP Address/Prefix field, and click Delete.
    Geolocations Specifies that you want to override the DoS profile's Geolocation Detection Criteria threshold settings by selecting countries from which to allow or block traffic during a DoS attack.
    • To allow traffic from a country, select the country and move it to the Geolocation Whitelist.
    • To block traffic from a country, select the country and move it to the Geolocation Blacklist.
    Trigger iRule Enable this setting if you have an iRule that manages DoS events in a customized manner.
  5. Click Proactive Bot Defense to use the Proactive Bot Defense screen to configure those settings.
    Property Description
    Operation Mode Specifies the conditions under which the system detects and blocks bots. Select Off, During Attacks, or Always. If Off is selected, no other settings are displayed on this tab.
    Block requests from suspicious browsers Strengthens the bot defense by blocking suspicious browsers. By default, the system completely blocks highly suspicious browsers and uses CAPTCHA challenges for moderately suspicious browsers.
    • Select the Block Suspicious Browsers check box to enable blocking of suspicious browsers.
    • Select the CAPTCHA Challenge check box to enable issuing a challenge. Click CAPTCHA Response Settings to open a popup screen where you can select the responses to use.
      Note: The exact format of a response body differs depending on the version of the BIG-IP® device. Test and verify that any custom response you create works with the installed BIG-IP version.
      • For the First Response Type, select Default to use the default response, or select Custom to create your own first response body by entering it into the First Response Body area. The following is an example first response body:
        This question is for testing whether you are a human visitor and to prevent automated spam submission.
        <br>
        %DOSL7.captcha.image% %DOSL7.captcha.change%
        <br>
        <b>What code is in the image?</b>
        %DOSL7.captcha.solution%
        <br>
        %DOSL7.captcha.submit%
        <br>
        <br>
        Your support ID is: %DOSL7.captcha.support_id% 
      • For the Failure Response Type, select Default to use the default response, or select Custom to create your own failure response body by entering it into the Failure Response Body area. The following is an example failure response body:
        You have entered an invalid answer for the question. Please, try again.
        <br>
        %DOSL7.captcha.image% %DOSL7.captcha.change%
        <br>
        <b>What code is in the image?</b>
        %DOSL7.captcha.solution%
        <br>
        %DOSL7.captcha.submit%
        <br>
        <br>
        Your support ID is: %DOSL7.captcha.support_id% 
    Grace Period Specifies time in seconds for the system to validate that browsers are not bots. During this period, the system does not block requests that were not validated. Modify the number or click Reset to Default to reset the value.
    Cross-Domain Requests You can add additional security by allowing only configured domains to reference resources of the site. From the list, select an option. You can also configure domains after selecting one of the Cross-Domain Requests options.
    URL Whitelist Specifies URLs that are not blocked by Proactive Bot Defense. Requests may still be blocked by the TPS-based / Stress-based attack mitigation. Add URLs to the whitelist by typing a URL in the text box and clicking Add. Remove a URL by selecting it and clicking Remove.
  6. Click Bot Signatures to use the Bot Signatures screen to configure those settings.
    Property Description
    Bot Signature Check Select Enabled to display settings. You cannot disable the Bot Signature Check property while Proactive Bot Detection, TPS-based Detection with By Device ID selected, or Stress-based Detection with By Device ID selected, is enabled. To disable the Bot Signature Check property, you must first disable the previously listed properties. Alternatively, rather than disabling all bot signature checking by disabling Bot Signature Check, you can disable categories of bot signatures individually.
    Malicious Categories and Benign Categories These two category lists are handled similarly.

    For either category, select None, Report, or Block. That setting is then applied to all the listed items in the category. The categories can also be individually changed to another value. If you change them individually, the value for the Malicious Categories or Benign Categories changes to Custom Configuration. A user cannot set all categories to None and keep Proactive Bot Defense enabled.

    Bot Signatures List Specifies bot signatures that are available and disabled. Use the arrow buttons to move bot signatures between the Available Signatures and the Disabled Signatures lists.
  7. Click TPS-based Detection to configure settings for the detection of DoS attacks based on a high volume of incoming traffic.
    Property Description
    Operation Mode Specifies how the system reacts when it detects an attack, and can be Off, Transparent, or Blocking. If set to Off, no other properties are shown.
    By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL.
    Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  8. Click Stress-based Detection to configure settings for the detection of DoS attacks based on server stress.
    Property Description
    Operation Mode Specifies how the system reacts when it detects a stress-based attack, and can be Off, Transparent or Blocking. If set to Off, no other properties are shown.
    By Source IP Specifies the criteria that determine when the system treats the IP address as an attacker, and the mitigation method to be used for the attacking IP address.
    By Device ID Specifies the criteria that determine when the system treats the device ID as an attacker, and the mitigation method to be used for the attacking device.
    By Geolocation Specifies the criteria that determine when the system treats the geolocation as an attacker, and the mitigation method to be used for the attacking geolocation. The settings exclude blacklisted and whitelisted geolocations.
    By URL Specifies the criteria that determine when the system treats the URL as an attacker, and the mitigation method to be used for the attacking URL.
    Site Wide Specifies the criteria that determine when the system determines an entire website is under attack, and the mitigation method to be used.
    Behavioral Specifies the mitigation behavior. When enabled, the selected level of mitigation is used.
    Prevention Duration Specifies the time spent in each mitigation step before moving (escalating or de-escalating) to the next mitigation step.
  9. Click Heavy URL Protection to configure settings for protecting heavy URLs during DoS attacks. Heavy URLs are those which have a potential to cause stress on the server, even with a low TPS count.
    Property Description
    Heavy URL Protection Specifies whether to enable heavy URL protection during DoS attacks. Select Enabled to show options. If set to Disabled, no other properties are shown.
    Automatic Detection Select Enabled to automatically detect heavy URLs of the application, in addition to the URLs entered manually.
    Heavy URLs You can configure a list of heavy URLs to protect in addition to the automatically detected ones. Type a URL in the text box, and click Add. Optionally, enter a threshold value.
    Ignored URLs You can configure a list of URLs which are excluded from automatic detection as heavy URLs. The system supports wildcards. Type a URL in the text box, and click Add.
    Latency Threshold If Automatic Detection is enabled, set the Latency Threshold setting to be the number of milliseconds for the system to use as the threshold for automatically detecting heavy URLs. The default value is 1000 milliseconds. Click Reset to default to reset the value to 1000.
  10. Click Record Traffic to configure settings for the recording of traffic (by performing a TCP dump) when a DoS attack is underway, to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration. You can record traffic and collect the TCP dump files into the QuickView file so that F5 support can use it for solving customer cases. The files have a pcap extension and are located in the following path on the BIG-IP device: /shared/dosl7/tcpdumps.
    Property Description
    Record Traffic During Attacks Controls whether traffic recording is used. The default is disabled and causes other properties to be hidden. Note that the system records SSL traffic encrypted. Select Enabled to specify that the system record traffic when a DoS attack is underway.
    Maximum TCP Dump Duration Displays the maximum time, in seconds, for one dump cycle. Legal values are between 1 and 300. The default is 30 seconds.
    Maximum TCP Dump Size Displays the maximum size, in MB, for a dump cycle. Legal values are between 1 and 50. The default is 10 MB.
    TCP Dump Repetition Specifies whether the system performs one dump, or multiple dumps, for each DoS attack.
  11. Save your work.
The settings are incorporated into the DoS profile.

Configure for protocol DNS

You can configure the conditions under which the system determines that your DNS server is under a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. Click Protocol DNS on the left to display the Properties screen.
  4. On the Properties screen, select the Enabled check box for Protocol DNS Protection.
  5. To enable Protocol Errors Attack Detection, select the Enabled check box.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    Setting Description
    Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases above this number. By default, the system calculates this number every hour, and updates it every minute. The default is 500 percent.
    Rate threshold Specifies the number of packets per second that must be exceeded to indicate to the system that there is an attack. The default is 250,000 packets per second.
    Rate limit Specifies the limit in packets per second. The default is 2,500,000 packets per second.
  7. Review the Known Attack Types list at the bottom of the screen that shows commonly known DNS query types that you want the system to detect in packets.
  8. Enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP documentation, BIG-IP® Systems: DoS Protection and Protocol Firewall Implementations, for information on each attack type.
  9. Save your work.
The settings are incorporated into the DoS profile.

Configure for protocol SIP

Your virtual server must include a SIP profile to work with this feature.
You can configure the conditions under which the system determines that your server, running SIP (Session Initiation Protocol), is under a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. On the left, click Protocol SIP to display the protocol SIP Properties screen.
  4. On the Properties screen, select the Enabled check box for Protocol SIP Protection.
    Additional properties are displayed on the screen.
  5. To enable Protocol Errors Attack Detection, select the Enabled check box.
  6. Specify the adjustable settings as necessary for your configuration.
    The system saves settings as you enter them.
    Setting Description
    Rate increased by Specifies that the system considers traffic to be an attack if the rate of requests increases greater than this number. The system calculates this number, by default, every hour and updates it every minute. The default setting is 500 percent.
    Rate threshold Specifies the number of packets per second that must be exceeded in order to indicate to the system that there is an attack. The default setting is 250,000 packets per second.
    Rate limit Specifies the limit in packets per second. The default setting is 2,500,000 packets per second.
  7. Review the Known Attack Types list at the bottom of the screen that shows commonly known SIP method types that you want the system to detect in packets.
  8. Enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.
The settings are incorporated into the profile.

Configure for network security

You can configure the conditions under which the system determines that your server is under a network DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click the profile name you want to configure.
  3. Click Network on the left to display the Properties screen.
  4. On the Properties screen, select the check box for Network Protection.
    The screen displays a list of commonly-known network attack types that the system can detect.
  5. Enable and customize attack types individually:
    1. Click the name of the attack type to open the properties screen for it.
    2. Enable the Detection Status and specify the properties for the attack type detection.
    Refer to the BIG-IP documentation, BIG-IP Systems: DoS Protection and Protocol Firewall Implementations for information on each attack type.
The settings are incorporated into the profile.

Edit DoS profiles

You can edit DoS profiles to fine tune what the system considers to be a DoS attack, and how the system handles a DoS attack.
  1. Click Configuration > SECURITY > Shared Security > DoS Profiles .
  2. In the DoS Profiles screen, click the name of the profile to modify.
    This locks the profile for editing and opens the properties screen.
    For details, consult these topics:
    • Configure for application security
    • Configure for protocol DNS
    • Configure for protocol SIP
    • Configure for network security
  3. Make edits as needed for your configuration.
    The system saves edits as you make them.
Changes to the DoS profile are saved.