Denial of Service¶
This section contains declarations that use a Denial of Service (DoS) profile in order to thwart denial of service attacks.
Note
In BIG-IP AS3 3.29 (and BIG-IP 14.1 and later), if you submit a declaration that uses a pointer to a DoS profile, but does not include a pointer to a Bot Defense profile, BIG-IP AS3 creates a Bot Defense profile for you. The auto-generated Bot Defense profile uses the relevant properties from the DoS profile from the declaration. The new BOT Defense profile is named f5_appsvcs_<DoS profile name>_botDefense.
Important
Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Using a DoS profile in a declaration¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see Detecting and Preventing System DoS and DDoS Attacks and DoS Protection and Protocol Firewall Implementations (pdf).
Also see DOS_Profile in the Schema Reference for usage options for using these features in your BIG-IP AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_01.
- A DoS profile with denylisted and allowlisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
"class": "ADC",
"schemaVersion": "3.26.0",
"id": "DOS_Profile",
"Sample_dos_01": {
"class": "Tenant",
"DOSApp": {
"class": "Application",
"Service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.1"
],
"profileDOS": {
"use": "DOS_Profile"
}
},
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"denylistedGeolocations": [
"Timor-Leste",
"Cocos (Keeling) Islands"
],
"allowlistedGeolocations": [
"Bonaire, Saint Eustatius and Saba",
"Cote D'Ivoire"
],
"captchaResponse": {
"first": "Are you a robot?<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
"failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image?</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
},
"heavyURLProtection": {
"automaticDetectionEnabled": true,
"detectionThreshold": 16,
"excludeList": [
"example.com"
],
"protectList": [
{
"url": "www.google.com",
"threshold": 0
}
]
},
"triggerIRule": true,
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"botDefense": {
"mode": "during-attacks",
"blockSuspiscousBrowsers": true,
"issueCaptchaChallenge": true,
"gracePeriod": 4000,
"crossDomainRequests": "validate-bulk",
"siteDomains": [
"www.google.com"
],
"externalDomains": [
"www.yahoo.com"
],
"urlAllowlist": [
"www.bing.com"
]
},
"botSignatures": {
"checkingEnabled": true,
"blockedCategories": [
{
"bigip": "/Common/Search Engine"
}
],
"reportedCategories": [
{
"bigip": "/Common/Crawler"
}
]
},
"rateBasedDetection": {
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"stressBasedDetection": {
"badActor": {
"detectionEnabled": false,
"mitigationMode": "none",
"signatureDetectionEnabled": false,
"useApprovedSignaturesOnly": false
},
"operationMode": "off",
"thresholdsMode": "manual",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"deviceID": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"geolocation": {
"minimumShare": 10,
"shareIncreaseRate": 500,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"rateLimitingMode": "rate-limit"
},
"url": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true,
"heavyURLProtectionEnabled": true
},
"site": {
"minimumTps": 40,
"tpsIncreaseRate": 500,
"maximumTps": 200,
"minimumAutoTps": 5,
"maximumAutoTps": 5000,
"clientSideDefenseEnabled": false,
"captchaChallengeEnabled": false,
"rateLimitingEnabled": true
}
},
"recordTraffic": {
"maximumDuration": 10,
"maximumSize": 10,
"recordTrafficEnabled": false,
"repetitionInterval": 10
}
},
"network": {
"dynamicSignatures": {
"detectionMode": "enabled",
"mitigationMode": "medium",
"scrubbingEnabled": true,
"scrubbingCategory": {
"bigip": "/Common/attacked_ips"
},
"scrubbingDuration": 60
},
"vectors": [
{
"type": "hop-cnt-low",
"state": "learn-only",
"thresholdMode": "manual",
"rateThreshold": 40000,
"rateIncreaseThreshold": 600,
"rateLimit": 1000000,
"simulateAutoThresholdEnabled": true,
"badActorSettings": {
"enabled": true,
"sourceDetectionThreshold": 0,
"sourceMitigationThreshold": 0
},
"autoDenylistSettings": {
"enabled": true,
"category": {
"bigip": "/Common/botnets"
},
"attackDetectionTime": 1,
"categoryDuration": 60,
"externalAdvertisementEnabled": true
}
}
]
},
"protocolDNS": {
"vectors": [
{
"type": "ptr",
"state": "mitigate",
"thresholdMode": "fully-automatic",
"autoAttackFloor": 0,
"autoAttackCeiling": 0
}
]
},
"allowlist": {
"use": "addressList"
},
"applicationAllowlist": {
"use": "addressListHTTP"
}
},
"addressList": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.10"
]
},
"addressListHTTP": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.11"
]
}
}
}
}
Using a DoS profile for Mobile Defense¶
This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See DOS_Profile in the Schema Reference for usage options for using these features in your BIG-IP AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_dos_02.
- A DoS profile with mobile defense enabled.
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "DOS_Profile",
"Sample_dos_02": {
"class": "Tenant",
"Application": {
"class": "Application",
"DOS_Profile": {
"class": "DOS_Profile",
"application": {
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"mobileDefense": {
"enabled": true,
"allowAndroidPublishers": [{
"bigip": "/Common/default.crt"
}
],
"allowAndroidRootedDevice": true,
"allowIosPackageNames": ["theName"],
"allowJailbrokenDevices": true,
"allowEmulators": true,
"clientSideChallengeMode": "challenge"
}
}
}
}
}
}
Using Accelerated Signatures and TLS Signatures in a DoS profile¶
This example shows how you can use Accelerated Signatures (enables signature detection before the connection establishment) and TLS Signatures (Enables TLS signature detection before the connection establishment) a Denial of Service (DoS) profile in a declaration. See Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DoS profile, and DOS_Profile_Application_Stress_Based_Detection_Bad_Actor in the Schema Reference for AS3 usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named DOS_Profile_signatures.
- A DoS profile with Accelerated Signatures and TLS Signatures enabled.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "DOS_Profile",
"DOS_Profile_signatures": {
"class": "Tenant",
"Application": {
"class": "Application",
"newDOS": {
"class": "DOS_Profile",
"application": {
"scrubbingDuration": 42,
"remoteTriggeredBlackHoleDuration": 10,
"stressBasedDetection": {
"badActor": {
"acceleratedSignaturesEnabled": true,
"tlsSignaturesEnabled": true
}
}
}
}
}
}
}
Using Network Vectors in a DoS Profile¶
This example shows how you can use Network Vectors in a DoS profile. The following declarations includes two options introduced in BIG-IP AS3 3.16.0: ip-low-ttl and non-tcp-connection; you must be using 3.16.0 or later to use these options (see BIG-IP TMOS version requirements in the Version Notice box).
See DOS_Network_Vector in the Schema Reference for BIG-IP AS3 usage options, and Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DoS profile.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_DOS_NetVector.
- A DoS profile named DOS_NetVector with a list of Network Vectors, including ip-low-ttl and non-tcp-connection.
{
"class": "ADC",
"schemaVersion": "3.16.0",
"id": "DOS_Profile",
"Sample_DOS_NetVector": {
"class": "Tenant",
"Application": {
"class": "Application",
"DOS_NetVector": {
"class": "DOS_Profile",
"network": {
"vectors": [{
"type": "ip-low-ttl",
"state": "learn-only",
"thresholdMode": "manual",
"rateThreshold": 40000,
"rateIncreaseThreshold": 600,
"rateLimit": 1000000,
"simulateAutoThresholdEnabled": true
},
{
"type": "non-tcp-connection",
"state": "learn-only",
"thresholdMode": "manual",
"rateThreshold": 40000,
"rateIncreaseThreshold": 600,
"rateLimit": 1000000,
"simulateAutoThresholdEnabled": true
}]
}
}
}
}
}
Using DNS Vectors in a DoS Profile¶
This example shows how you can use DNS Vectors in a DoS profile. The following declarations includes two options introduced in BIG-IP AS3 3.16.0: nxdomain and qdcount; you must be using 3.16.0 or later to use these options.
See DOS_DNS_Vector in the Schema Reference for BIG-IP AS3 usage options, and Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DoS profile.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_DOS_DnsVector.
- A DoS profile named DOS_DnsVector with a list of DNS Vectors, including nxdomain and qdcount.
{
"class": "ADC",
"schemaVersion": "3.16.0",
"id": "DOS_Profile",
"Sample_DOS_DnsVector": {
"class": "Tenant",
"Application": {
"class": "Application",
"DOS_DnsVector": {
"class": "DOS_Profile",
"protocolDNS": {
"vectors": [{
"type": "qdcount",
"autoAttackFloor": 0,
"autoAttackCeiling": 0
},
{
"type": "nxdomain",
"state": "mitigate",
"thresholdMode": "fully-automatic",
"autoAttackFloor": 0,
"autoAttackCeiling": 0
}]
}
}
}
}
}
Referencing a Bot Defense profile¶
This example shows how you can reference an existing Bot Defense profile in a BIG-IP AS3 declaration in BIG-IP 14.1 and later. Previously this functionality was a part of the DoS profile, but was separated out in BIG-IP 14.1.
Note
In BIG-IP AS3 3.29 (and BIG-IP 14.1 and later), if you submit a declaration that uses a pointer to a DoS profile, but does not include a pointer to a Bot Defense profile, BIG-IP AS3 creates a Bot Defense profile for you. The auto-generated Bot Defense profile uses the relevant properties from the DoS profile from the declaration. The new BOT Defense profile is named f5_appsvcs_<DoS profile name>_botDefense.
For more information on Bot Defense profiles, see Configuring Bot Defense in the ASM Implementations Guide.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_Bot_Def.
- A virtual service named test.botDef the references an existing Bot Defense profile on the BIG-IP.
{
"class": "AS3",
"persist": false,
"declaration": {
"class": "ADC",
"schemaVersion": "3.17.0",
"id": "Service_HTTP",
"Example_Bot_Def": {
"class": "Tenant",
"Application": {
"class": "Application",
"test.botDef": {
"class": "Service_HTTP",
"virtualPort": 8080,
"virtualAddresses": [
"1.2.3.4"
],
"profileBotDefense": {
"bigip": "/Common/bot-defense"
}
}
}
}
}
}