Manual Chapter :
Adjusting Global Settings
Applies To:
Show Versions
F5 DDoS Hybrid Defender
- 13.1.0
Overview: Adjusting global settings
DDoS Hybrid Defender™ uses reasonable default settings for the global system settings. Some environments may require adjustments to port numbers, allowed protocols, or thresholds that signal an attack. For example, you may use a different DNS or SIP port number from the one that is configured. In that case, you can change it.
Many of the thresholds indicate the value at which a packet, header, URI, or other setting is considered too large, too small, or not typical. This does not necessarily indicate an attack. It means that the value is unusual enough that you should take a look at what's happening on the system. You may want to change the global settings because the traffic should be allowed and should not cause alarm.
However, note that adjusting these settings should be needed only in rare cases. The changes should be made only by an administrator familiar with the applications, servers, or other network objects that DDoS Hybrid Defender is protecting.
Adjusting global settings
You can adjust global settings on DDoS Hybrid Defender™ if the
default values are not right for your environment.
The global settings are applied at the system level.
Global Settings
You need to adjust the global settings only if something is not working correctly. For example, if your systems use a DNS port other than 53.
Flow Eviction Policy
| Setting | Default Value | What It Specifies |
|---|---|---|
| Trigger Thresholds | High water mark 95%; Low water mark 85% | Specifies a high and low water mark that is a percentage of the quota of flows before flow eviction starts (high water mark) and ends (low water mark). |
| Strategies | None | Specifies which traffic flows to drop as much as possible:
|
| Slow Flow Detection |
|
Enables the features and specifies what constitutes slow flows:
|
Ports & VLANS
| Setting | Default Value | What It Specifies |
|---|---|---|
| UDP Port Inclusion/Exclusion List | Exclude | Specifies UDP ports to analyze for DDoS attacks (Include) or exclude from analysis (Exclude) for all protected objects. One at a time, type the port number, select source and/or destination, and click Add. |
| DNS Port | 53 | Specifies which port to use for DNS traffic, if the default of 53 is not correct. |
| DNS VLAN | 0 | Specifies which VLAN should receive external DNS responses. The default is 0, all VLANs. |
| SIP Port | 5060 | Specifies which port to use for SIP traffic, if the default of 5060 is not correct. |
Allowed Protocols & Options
| Setting | Default Value | What It Specifies |
|---|---|---|
| Allowed non-Standard IP Protocols | Protocol 1 & 2: 255 | Specifies the protocol number of one or two IP protocols that the Unknown IP Protocol DoS vector should treat as known (that is, ignored). Note: Though valid values are 0-255, IP protocols 0-142 are already known by the vector so specifying an IP protocol number in that range has no effect on the behavior of the vector. |
| Allowed non-Standard ICMPv6 Types | Type 1 & 2: 158 | Specifies one or two additional ICMPv6 message types for the Unknown ICMPv6 Message Type vector to treat as known (that is, ignored). The allowed values are 0-254. However, ICMPv6 message types 0-132, 134, and 135 are already ignored by the vector so specifying one of those message types has no effect on the behavior of the vector. |
| Allowed non-Standard TCP Types | Type 1 & 2: 0 | Specifies one or two TCP option types for the Unknown TCP Option Type vector to treat as known (that is, ignored). Though valid values are 0-255, option types 0-5, 8, 19-21, 30, 34, 128, and 254 are allowed and have no effect on the behavior of the vector. |
Thresholds
| Setting | Default Value | What It Specifies |
|---|---|---|
| IPv6 Single Endpoint Prefix Length | 128 | Specifies whether a single endpoint in IPv6 is /64 or /128 (or some other prefix). |
| IPv4 Low TTL | 1 | Defines the minimum acceptable value for TTL (time to live) in the IPv4 header. |
| IPv6 Low Hop Count | 1 | Specifies the minimum acceptable value for IPv6 Hop Count. |
| Too Large DNS Packet | 4096 | Specifies the size at which a DNS packet is considered oversized. |
| Too Large ICMPv4 Packet | 1480 | Specifies the size at which an ICMPv4 packet is considered oversized. |
| Too Large ICMPv6 Packet | 1460 | Specifies the size at which an ICMPv6 packet is considered oversized. |
| Too Large IPv6 Extension Header | 128 | Specifies the size at which an IPv6 Extension Header is considered oversized. |
| Too Many IPv6 Extension Headers | 4 | Specifies the number of IPv6 Extension Headers that are considered too many. |
| Too Long SIP URI | 1024 | Specifies the length at which a SIP URI is considered too long. |
| Too Small TCP Window Size | 0 | Specifies the window size that is considered too small. |
| Too Large TCP SYN Packet | 64 | Specifies the size at which a TCP SYN packet is considered oversized. |
Blacklist Publisher
| Setting | Default Value | What It Specifies |
|---|---|---|
| Blacklist Publisher Next-Hop | Any | Specifies the next hop address of the BGP router to which you want to advertise blacklisted addresses. |
| Scrubbing | None | Specifies the type of scrubbing: BGP (specify IPv4 or IPv6 address), Silverline, or none. |
Sending the blacklist to a next-hop router
DDoS Hybrid Defender™ detects bad actors, adding their IP
addresses to a blacklist temporarily. You can specify an edge router to which to
advertise the blacklist, so it can stop the traffic causing a DoS attack.
- On the Main tab, click .
- On the menu bar, click Global Settings.
- In the Blacklist Publisher area, in the Advertisement Next-Hop field, type the IP address of a next-hop router to which to send the blacklist.
- Click Update.
The router you configured will drop traffic from IP addresses on the blacklist until the blacklist entry is automatically removed.
