Denial of Service

This section contains declarations that use a Denial of Service (DoS) profile in order to thwart denial of service attacks.

Note

As of AS3 3.10.0, if the a Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.

Important

Most of the example declarations have been updated in the documentation for AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In AS3 3.20, the generic template is the default, which allows services to use any name.

This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.

1: Using a DoS profile in a declaration

This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see Detecting and Preventing System DoS and DDoS Attacks and DoS Protection and Protocol Firewall Implementations (pdf).

Also see DOS_Profile in the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_01.
  • A DoS profile with blacklisted and whitelisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "Sample_dos_01": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "blacklistedGeolocations": ["Timor-Leste", "Cocos (Keeling) Islands"],
            "whitelistedGeolocations": ["Bonaire, Saint Eustatius and Saba", "Cote D'Ivoire"],
            "captchaResponse": {
              "first": "Are you a robot&quest;<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
              "failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
            },
            "heavyURLProtection": {
              "automaticDetectionEnabled": true,
              "detectionThreshold": 16,
              "excludeList": ["example.com"],
              "protectList": [{
                  "url": "www.google.com",
                  "threshold": 0
                }
              ]
            },
            "triggerIRule": true,
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "profileAcceleration": {
              "bigip": "/Common/full-acceleration"
            },
            "botDefense": {
              "mode": "during-attacks",
              "blockSuspiscousBrowsers": true,
              "issueCaptchaChallenge": true,
              "gracePeriod": 4000,
              "crossDomainRequests": "validate-bulk",
              "siteDomains": ["www.google.com"],
              "externalDomains": ["www.yahoo.com"],
              "urlWhitelist": ["www.bing.com"]
            },
            "botSignatures": {
              "checkingEnabled": true,
              "blockedCategories": [{
                  "bigip": "/Common/Search Engine"
                }
              ],
              "reportedCategories": [{
                  "bigip": "/Common/Crawler"
                }
              ]
            },
            "rateBasedDetection": {
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "stressBasedDetection": {
              "badActor": {
                "detectionEnabled": false,
                "mitigationMode": "none",
                "signatureDetectionEnabled": false,
                "useApprovedSignaturesOnly": false
              },
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "heavyURLProtectionEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "recordTraffic": {
              "maximumDuration": 10,
              "maximumSize": 10,
              "recordTrafficEnabled": false,
              "repetitionInterval": 10
            }
          },
          "network": {
            "dynamicSignatures": {
              "detectionMode": "enabled",
              "mitigationMode": "medium",
              "scrubbingEnabled": true,
              "scrubbingCategory": {
                "bigip": "/Common/attacked_ips"
              },
              "scrubbingDuration": 60
            },
            "vectors": [{
                "type": "hop-cnt-low",
                "state": "learn-only",
                "thresholdMode": "manual",
                "rateThreshold": 40000,
                "rateIncreaseThreshold": 600,
                "rateLimit": 1000000,
                "simulateAutoThresholdEnabled": true,
                "badActorSettings": {
                  "enabled": true,
                  "sourceDetectionThreshold": 0,
                  "sourceMitigationThreshold": 0
                },
                "autoBlacklistSettings": {
                  "enabled": true,
                  "category": {
                    "bigip": "/Common/botnets"
                  },
                  "attackDetectionTime": 1,
                  "categoryDuration": 60,
                  "externalAdvertisementEnabled": true
                }
              }
            ]
          },
          "protocolDNS": {
            "vectors": [{
                "type": "ptr",
                "state": "mitigate",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 0,
                "autoAttackCeiling": 0
              }
            ]
          },
          "protocolSIP": {
            "vectors": [{
                "type": "cancel",
                "state": "disabled",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 4294967295,
                "autoAttackCeiling": 4294967295,
                "rateIncreaseThreshold": 4294967295
              }
            ]
          },
          "whitelist": {
            "use": "addressList"
          },
          "applicationWhitelist": {
            "use": "addressListHTTP"
          }
        },
        "addressList": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.10"]
        },
        "addressListHTTP": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.11"]
        }
      }
    }
  }

Back to top

2: Using a DoS profile for Mobile Defense

This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See DOS_Profile in the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_02.
  • A DoS profile with mobile defense enabled.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "Sample_dos_02": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "mobileDefense": {
              "enabled": true,
              "allowAndroidPublishers": [{
                  "bigip": "/Common/default.crt"
                }
              ],
              "allowAndroidRootedDevice": true,
              "allowIosPackageNames": ["theName"],
              "allowJailbrokenDevices": true,
              "allowEmulators": true,
              "clientSideChallengeMode": "challenge"
            }
          }
        }
      }
    }
  }
  

Back to top

3: Using Accelerated Signatures and TLS Signatures in a DOS profile

This example shows how you can use Accelerated Signatures (enables signature detection before the connection establishment) and TLS Signatures (Enables TLS signature detection before the connection establishment) a Denial of Service (DoS) profile in a declaration. See Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DOS profile, and DOS_Profile_Application_Stress_Based_Detection_Bad_Actor in the Schema Reference for AS3 usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named DOS_Profile_signatures.
  • A DoS profile with Accelerated Signatures and TLS Signatures enabled.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "DOS_Profile",
    "DOS_Profile_signatures": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "newDOS": {
                "class": "DOS_Profile",
                "application": {
                    "scrubbingDuration": 42,
                    "remoteTriggeredBlackHoleDuration": 10,
                    "stressBasedDetection": {
                        "badActor": {
                            "acceleratedSignaturesEnabled": true,
                            "tlsSignaturesEnabled": true
                        }
                    }
                }
            }
        }
    }
}

Back to top

4: Using Network Vectors in a DOS Profile

This example shows how you can use Network Vectors in a DOS profile. The following declarations includes two options introduced in AS3 3.16.0: ip-low-ttl and non-tcp-connection; you must be using 3.16.0 or later to use these options (see BIG-IP TMOS version requirements in the Version Notice box).

See DOS_Network_Vector in the Schema Reference for AS3 usage options, and Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DOS profile.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_DOS_NetVector.
  • A DoS profile named DOS_NetVector with a list of Network Vectors, including ip-low-ttl and non-tcp-connection.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "id": "DOS_Profile",
    "Sample_DOS_NetVector": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "DOS_NetVector": {
                "class": "DOS_Profile",
                "network": {
                    "vectors": [{
                        "type": "ip-low-ttl",
                        "state": "learn-only",
                        "thresholdMode": "manual",
                        "rateThreshold": 40000,
                        "rateIncreaseThreshold": 600,
                        "rateLimit": 1000000,
                        "simulateAutoThresholdEnabled": true
                    },
                    {
                        "type": "non-tcp-connection",
                        "state": "learn-only",
                        "thresholdMode": "manual",
                        "rateThreshold": 40000,
                        "rateIncreaseThreshold": 600,
                        "rateLimit": 1000000,
                        "simulateAutoThresholdEnabled": true
                    }]
                }
            }
        }
    }
}

Back to top

5: Using DNS Vectors in a DOS Profile

This example shows how you can use DNS Vectors in a DOS profile. The following declarations includes two options introduced in AS3 3.16.0: nxdomain and qdcount; you must be using 3.16.0 or later to use these options.

See DOS_DNS_Vector in the Schema Reference for AS3 usage options, and Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DOS profile.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_DOS_DnsVector.
  • A DoS profile named DOS_DnsVector with a list of DNS Vectors, including nxdomain and qdcount.
{
    "class": "ADC",
    "schemaVersion": "3.16.0",
    "id": "DOS_Profile",
    "Sample_DOS_DnsVector": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "DOS_DnsVector": {
          "class": "DOS_Profile",
          "protocolDNS": {
            "vectors": [{
                "type": "qdcount",
                "autoAttackFloor": 0,
                "autoAttackCeiling": 0
            },
            {
                "type": "nxdomain",
                "state": "mitigate",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 0,
                "autoAttackCeiling": 0
            }]
          }
        }
      }
    }
  }

Back to top

6: Referencing a Bot Defense profile

This example shows how you can reference an existing Bot Defense profile in an AS3 declaration in BIG-IP 14.1 and later. Previously this functionality was a part of the DoS profile, but was separated out in BIG-IP 14.1.

For more information on Bot Defense profiles, see Configuring Bot Defense in the ASM Implementations Guide.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_Bot_Def.
  • A virtual service named test.botDef the references an existing Bot Defense profile on the BIG-IP.
{
    "class": "AS3",
    "persist": false,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.17.0",
        "id": "Service_HTTP",
        "Example_Bot_Def": {
            "class": "Tenant",
            "Application": {
                "class": "Application",
                "test.botDef": {
                    "class": "Service_HTTP",
                    "virtualPort": 8080,
                    "virtualAddresses": [
                        "1.2.3.4"
                    ],
                    "profileBotDefense": {
                    	"bigip": "/Common/bot-defense"
                    }
                }
            }
        }
    }
}

Back to top