DDoS Mitigation With BIG-IP AFM

In a list of attack vectors that you would NOT want to see aimed at your network, a Distributed Denial of Service (DDoS) attack would most certainly make anyone’s top ten.  DDoS has been a hot topic for quite some time now…and rightfully so.  A recent survey estimated that a DDoS attack can cost the targeted business upwards of $40,000 per hour.  DDoS attacks are relatively simple to conduct, but if a bad guy didn’t want to bother launching an attack himself, he could easily pay a small fee (I’ve seen as low as $6 a month) to have an attack launched against his target of choice.  I hate to say it, but it’s not if you’ll get hit with a DDoS attack, it’s when.

Fortunately, you have the power and precision of the BIG-IP AFM at your fingertips, and this module is extremely effective at blocking DDoS traffic while still ensuring your applications are available to your customers.  But, you say, how do I configure all this AFM goodness?  I’m glad you asked! 

Let’s take a look at the AFM and walk through all the DDoS settings and configurations.  The AFM has a robust set of DoS protection mechanisms, and it allows you to create a unique DoS profile, modify granular device configuration settings, and configure one or more White Lists to explicitly allow certain IP addresses (or ranges) to be excluded from the DoS protection.  See the screenshot below for all the DoS menu options.

 

 

The first thing to do is set up a DoS profile.  Navigate to Security >> DoS Protection >> DoS Profiles and click the “Create” button to create your new DoS profile.  You will have a few different options for configuring things when you create the DoS profile.  First, under the “Profile Information; General Settings” option, you’ll name the profile, specify the partition/path for the profile, and add a Source IP whitelist if needed.  Once you have done this, you are now ready to dig into the meat of the profile and start turning some really cool knobs.  See the screenshot below for a view of the Profile General Settings screen.

 

 

Next, you can turn on the power of the DNS protection.  We are planning an entire article for the DNS DDoS attacks, so stay tuned for more on how those work.  But, for this article, you’ll notice that, in the “Protocol DNS” section, you can enable the protection itself, enable detection of protocol error attacks, and finally enable detection of DNS query attacks from 14 commonly used DNS query types.  Notice, on the DNS query section, that you can set the threshold for packets per second, the rate increase percentage, and the rate limit for packets per second.  You’ll see these same settings for several of the DoS profile configuration options, but to save us all a little time, I’ll only explain the settings here (the same logic applies to these settings throughout the DoS profile configuration).  Here’s how it works. 

Let’s use the “a” DNS query as our example.  If the AFM detects that a certain number of “a” queries are sent in a one-second period of time, it will start to look for some bad DoS-type behavior from that specific type of request.  The “Threshold” value is the value you set for the AFM to start looking for DoS behavior from that query type.  The default on all the thresholds for all query types is 250,000 packets per second.  So, if 251,000 “a” query packets are sent in a one-second period of time, the AFM will start to look for bad “a” query behavior. 

The next value to set is the “Rate Increase” value.  For the “a” query, the AFM would calculate the number of “a” query packets received over the past hour and multiply that number by the Rate Increase percent.  Then, the AFM compares that resulting value to the number of “a” query packets received over the past minute.  If the one-minute average is higher than the result of the (one-hour X rate increase ) value, then the AFM knows this is a DoS attack using “a” query packets.  As such, it would start blocking the bad guys who are sending all these crazy “a” query packets. 

The final value is the Rate Limit.  This is pretty straightforward in that the AFM will only allow the specified number of packets in a given second.  So, in our “a” query example, the Rate Limit is set to 2,500,000 packets per second (the default value), and if more than that number of “a” query packets are received by the AFM in a one-second time interval, the AFM will drop the excess packets. 

Obviously, you can set each Threshold, Rate Increase percentage, and Rate Limit to whatever values you want.  And, you can set them all differently for each query type if you want!

See the screenshot below for all the details: 

 

Next, you can enable Protocol SIP Protection to defend against Session Initiation Protocol (SIP) attacks, Protocol Error attacks, and 12 common SIP method type attacks.  You’ll notice that the SIP protection uses the same approach as the DNS protection in that it sets Rate Thresholds, Rate Limits, and Rate Increase values.  See the screenshot below for details:

 

The last part of the DoS Profile configuration is the Network Protection settings.  In this section, you can enable overall Network Protection, Behavior analysis, and Network attack settings.  There are 24 different network attack types you can configure.  Notice the different settings in the screenshot below:

 

 

If you enable protection against any of the network attack types, you’ll see an additional window pop up that allows you to set the Threshold, Rate Increase, and Rate Limit values.  These values work exactly the same as in all the other sections of the DoS profile setup.  By the way, don’t forget to hit the “Finished” button at the bottom of the screen after you have all these settings configured.  See the screenshot below for details on enabling each of the attack types.

 

Now that you have the DoS Profile all configured and saved, you can apply the profile to any virtual server you want (or multiple virtual servers).  To do this, navigate to Local Traffic >> Virtual Servers >> Virtual Server List and click on the virtual server you want to protect.  Once you have selected the virtual server, navigate to the top menu and click on the “Security” tab and select the “Policies” menu item.  You will see an option for DoS Protection Profile…change it from “Disabled” to “Enabled” and then select the profile you just created.  Make sure you hit the “Update” button at the bottom of the menu.  See the screenshot below for details:

 

The next area of the DoS Protection covers the BIG-IP device itself.  These settings are not inherently associated with only one specific virtual server.  Rather, they are set so that they apply to all requests bound for any virtual server on the BIG-IP.  To configure these settings, navigate to Security >> DoS Protection >> Device Configuration and you will see the screen shown below:

 

Much like the “Network Profile” settings, the “Device Configuration” settings can be set individually.  Each of the settings actually includes a series of sub-settings that can be configured individually.  Once again, there are values for Threshold, Percent, and Limit and these values work the same as described before.  See the screenshot below for details.

 

The last area you can configure is the DoS Protection White List.  This list includes a setting for Protocol, Source, and Destination.  The protocol setting specifies the protocol that the white list traffic will be using (i.e. TCP, UDP, ICMP, etc).  The Source value identifies the IP address and VLAN combination that the AFM will recognize as acceptable to pass along traffic from.  The Destination value identifies the IP address and port number that the AFM will recognize as acceptable to pass along traffic to.  See the screenshot below for details.

 

When you configure all these settings on your BIG-IP AFM, the DDoS bad guys don’t stand a chance!  Get out there and set it up for yourself and see how powerful this DDoS protection can be.

 

Published Mar 29, 2016
Version 1.0

Was this article helpful?

5 Comments

  • John - thanks for sharing this article. I'm glad there is a strong focus with the delivery controllers in information security. Thanks for taking the time in making us all better.
  • Hi John,

     

    thanks for the article. Unfortunately it does not cover how to find out the right values for all those fancy attack types TMOS can detect and stop. There are differences based on BIG-IP/VIPRION hardware and of course there are differences in the backend hardware. The BIG-IP i5800 has default a value for pps of 2.147.483.647. This number of pps is much to high for a "standard" Virtual Machine server.

     

    There is a Whitepaper from David Holmes, listing Best Practices to mitigate DDoS attacks (https://f5.com/resources/white-papers/f5-ddos-protection-recommended-practices), but unfortunately it's completely outdated. It would be great if this would be updated, based on the most recent TMOS versions and features.

     

    Greets, Sven

     

  • Great Article John.

     

    Could you please explains us the best way to calculate the thresholds for AFM DDoS? It is not possible to see packets per second/ source ip. You can see only the overall.

     

    Thank you in advance!!

     

  • zack's avatar
    zack
    Icon for Altostratus rankAltostratus

    Hi John,

     

    I know this is a really late question but I am checking/learning AFM but quite confused regarding “Rate Increase”.

     

    To "Rate Increase" ( "Dectection %" in newer versions), does AFM really drops/rate limits packets when traffic over that percentage? Because in:

     

    https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/dns-dos-firewall-implementations-12-1-0/2.html

     

    " From the Detection Threshold Percent list, select Specify or Infinite. Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded. "

     

    So it sounds AFM just report but won't drop packets when traffic over the percentage threshold. Is it correct or any behavior change in v13 or v14?