L7 DoS protection¶
Overview¶
Manage the L7 DoS protection settings that mitigate denial-of-service (DoS) attacks.
L7 DoS protection identifies DoS attack behavior in traffic by applying machine learning and data analysis of HTTP signatures, TLS fingerprinting, and bad actors (assessment of IP addresses by traffic behavior and anomaly detection).
You can enable, or disable the detection and mitigation techniques based on your application’s security requirements.
In addition, you can set the mitigation mode, which allows you to balance between the precise mitigation (conservative), service protection (standard) and monitoring only (none).
To review notifications of when an attack started, ended, or a bad actor was detected (if applicable to your settings), see Reference: L7 DoS Event Logs or go to: Security → Event Logs → L7 DoS.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
Special instructions for L7 Dos Protection¶
F5 recommends a specific policy configuration and deployment procedure to ensure your L7 DoS protection has the best, and most accurate visibility in BIG-IP Next Central Manager’s L7 dashboard and event logs.
If you do not configure your L7 DoS protection according to recommended best practices, visibility of L7 DoS protection to your applications might be inaccurate.
When creating a L7 DoS protection apply the following:
Create a separate WAF policy for L7 DoS protection. Aside from General Settings and L7 DoS protection, do not add additional WAF services to this policy.
Create a dedicated L7 DoS application service with ONE virtual server.
Deploy the dedicated L7 DoS application service to ONE BIG-IP Next instance.
IMPORTANT
If you require L7 DoS protection on a pool member (endpoint) that is located on a different BIG-IP Next instance, you must create or clone a separate L7 DoS WAF policy and attach it to another dedicated application service that has only one virtual server (you can clone the existing L7 DoS application service but ensure it is attached to the correct policy.)
How to configure L7 DoS Protection¶
Before you begin: Read Special instructions for L7 Dos Protection.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click L7 DoS Protection.
The panel displays the policy’s settings.
If L7 DoS Protection is disabled, toggle the Enabled button. This will display the policy’s settings.
For Mitigation Mode select one of the following mitigation rates:
Standard (Default) - For Bad Actors, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the servers health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If Signatures is enabled, this blocks requests that match attack signatures.
Conservative - For Bad Actors, rate slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If Signatures is enabled, this blocks requests that match the attack signatures.
None - Learns and monitors traffic behavior, but no action is taken.
Enable or disable Signatures. When enabled, the policy examines requests and creates behavioral signatures that describe patterns found in attacks identified.
Enable or disable Bad Actors. When enabled, the policy identifies IP addresses of bad actors by examining traffic behavior and anomaly detection.
Enable or disable TLS fingerprint. When enabled, the policy uses TLS fingerprinting to distinguish between bad and good actors behind the same IP (NAT) and only blocks traffic from bad actors.
Click Save.
The L7 DoS protection settings are saved, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Note: You can deploy L7 DoS protection on up to 70 applications for a single BIG-IP Next instance.
Resources¶
Configure using API¶
Monitoring L7 DoS Protection¶
L7 DoS protection management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.