F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 DDoS Hybrid Defender
  4. DDoS Hybrid Defender 14.0.0: Setup
  5. Preventing DDoS Flood and Sweep Attacks
Manual Chapter : Preventing DDoS Flood and Sweep Attacks

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 14.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Preventing DDoS Flood and Sweep Attacks

About DoS sweep and flood attack prevention

A sweep attack is a network scanning technique that typically sweeps your network by sending packets, and using the packet responses to determine live hosts. Typical attacks use ICMP to accomplish this.

The Sweep vector tracks packets by source address. Packets from a specific source that meet the defined single endpoint Sweep criteria, and exceed the rate limit, are dropped. You can also configure the Sweep vector to automatically blacklist an IP address from which the Sweep attack originates.

Important: The sweep mechanism protects against a flood attack from a single source, whether that attack is to a single destination host or multiple hosts.

A flood attack is a an attack technique that floods your network with packets of a certain type, in an attempt to overwhelm the system. A typical attack might flood the system with SYN packets without then sending corresponding ACK responses. UDP flood attacks flood your network with a large number of UDP packets, requiring the system to verify applications and send responses.

The Flood vector tracks packets per destination address. Packets to a specific destination that meet the defined Single Endpoint Flood criteria, and exceed the rate limit, are dropped. The system can detect such attacks with a configurable detection threshold, and can rate limit packets from a source when the detection threshold is reached.

You can configure DoS sweep and flood prevention to detect and prevent floods and sweeps of ICMP, UDP, TCP SYN without ACK, or any IP packets that originate from a single source address, according to the threshold setting. Both IPv4 and IPv6 are supported. The sweep vector acts first, so a packet flood from a single source address to a single destination address is handled by the sweep vector.

Sweep and flood is the first prevention that is limited to the affected hosts. For example, the Flood TCP SYN flood vector rate limits all TCP SYNs, good and bad, once the rate limit threshold is reached. Sweep protection detects and rate limits just the bad guys. Flood detects and limits just the traffic to the targeted host. Collateral damage is much lower by mitigating these vectors. You can set the limits lower than would be reasonable for the indiscriminate vectors.

Protecting against single-endpoint flood and sweep attacks

You can protect against DDoS single-endpoint attacks to protect traffic from flood and sweep attacks.
  1. On the Main tab, click DoS Configuration > Device Protection .
  2. Select the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  3. Expand the Network family, and click Single Endpoint Flood.
    The settings appear on the right.
  4. By default, the system enforces all of the vectors at some level. To enforce the DoS vector, make sure the State is set to Mitigate (watch, learn, alert, and mitigate).
    Other options allow you to Detect Only (watch, learn, and alert) or Learn Only (collect stats, no mitigation).
    CAUTION:
    For most DoS vectors, you want to enforce the vector. Set a vector to Disabled (no stat collection, no mitigation) only when you find that enforcement of the vector is disrupting legitimate traffic. For example, if you test a legitimate packet with the packet tester and find a DoS vector is preventing packet transmission, you can adjust the thresholds or disable the vector to remedy the issue.
  5. From the Detection Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold.
  6. From the Mitigation Threshold EPS list, select Specify or Infinite.
    • Use Specify to set a value (in events per second), which cannot be exceeded. If the number of events of this type exceeds the threshold, excess events are dropped until the rate no longer exceeds the threshold.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  7. In the Packet Type area, select the packet types you want to detect for this attack type in the Available list, and move them to the Selected list.
  8. In the Attack Type list, click Single Endpoint Sweep.
    The settings appear on the right, and are the same as for the flood, so you complete them the same way. Additional blacklist settings are available.
  9. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
  10. Select the Category Name to which blacklist entries generated by Bad Actor Detection are added.
  11. Specify the Sustained Attack Detection Time, in seconds, after which an IP address is blacklisted.
  12. To change the duration for which the address is blacklisted, specify the duration in seconds in the Category Duration Time field. The default duration for an automatically blacklisted item is 4 hours (14400 seconds).
    After this time period, the IP address is removed from the blacklist.
  13. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher for the Advertisement Next-Hop in the Global Settings.
  14. When you finish adjusting the settings of the attack types, click Commit Changes to System.
    The device protection configuration is updated.
Now you have configured the system to provide protection against single-endpoint DoS flood and sweep attacks at the system level for all traffic passing through, and to allow such attacks to be identified in system logs and reports. You can similarly protect against sweep and specific flood attacks in protection profiles that more narrowly guard specific backend servers

Protecting objects from specific flood attacks

You can use DDoS Hybrid Defender™ to guard protected objects from specific flood attacks.
  1. On the Main tab, click DoS Configuration > Protection Profiles .
  2. Click the name of the protection profile to edit, or create a new one.
  3. For Families, make sure Network is selected.
  4. Expand the Network category.
  5. In the Search text filter, type flood to show only the flood vectors.
  6. Click the type of flood for which you want to change the settings.
    The settings appear on the right.
  7. Adjust the settings as needed.
    Tip: For Threshold Mode, click Fully Automatic to allow the system to determine the thresholds based on traffic.
  8. When you finish adjusting the settings of the vectors, click Commit Changes to System.
    The protection profile is updated.
Now you have configured the system to prevent DDoS flood attacks on the protected objects that use the updated protection profile.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information