Denial of Service

This section contains declarations that use a Denial of Service (DoS) profile in order to thwart denial of service attacks.

Note

As of AS3 3.10.0, if the a Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.

1: Using a DoS profile in a declaration

This example shows how you can use a Denial of Service (DoS) profile in a declaration. The DoS profile can provide specific attack prevention at a very granular level. In the following example, we include nearly all of the available features in the DoS profile, with the exception of Mobile Defense, which we show in example 10. For detailed information on DoS profiles and the features in this declaration, see Detecting and Preventing System DoS and DDoS Attacks and DoS Protection and Protocol Firewall Implementations (pdf). Also see the Schema Reference for usage options for using these features in your AS3 declarations.

We could mention something about the dummy address being removed if other addresses are added to the list, but I think this sums up what we’re doing and why.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_01.
  • A DoS profile with blacklisted and whitelisted geolocations and address lists, URL protection, bot defense, rate-based protection and more. See the documentation and schema reference for details.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "controls": {
      "class": "Controls",
      "trace": true,
      "logLevel": "debug"
    },
    "Sample_dos_01": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "template": "generic",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "blacklistedGeolocations": ["Timor-Leste", "Cocos (Keeling) Islands"],
            "whitelistedGeolocations": ["Bonaire, Saint Eustatius and Saba", "Cote D'Ivoire"],
            "captchaResponse": {
              "first": "Are you a robot&quest;<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your supportID is: %DOSL7.captcha.support_id%.",
              "failure": "Error!<br><br>%DOSL7.captcha.image% %DOSL7.captcha.change%<br><b>What code is in the image&quest;</b>%DOSL7.captcha.solution%<br>%DOSL7.captcha.submit%<br><br>Your support ID is: %DOSL7.captcha.support_id%."
            },
            "heavyURLProtection": {
              "automaticDetectionEnabled": true,
              "detectionThreshold": 16,
              "excludeList": ["example.com"],
              "protectList": [{
                  "url": "www.google.com",
                  "threshold": 0
                }
              ]
            },
            "triggerIRule": true,
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "profileAcceleration": {
              "bigip": "/Common/full-acceleration"
            },
            "botDefense": {
              "mode": "during-attacks",
              "blockSuspiscousBrowsers": true,
              "issueCaptchaChallenge": true,
              "gracePeriod": 4000,
              "crossDomainRequests": "validate-bulk",
              "siteDomains": ["www.google.com"],
              "externalDomains": ["www.yahoo.com"],
              "urlWhitelist": ["www.bing.com"]
            },
            "botSignatures": {
              "checkingEnabled": true,
              "blockedCategories": [{
                  "bigip": "/Common/Search Engine"
                }
              ],
              "reportedCategories": [{
                  "bigip": "/Common/Crawler"
                }
              ]
            },
            "rateBasedDetection": {
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "stressBasedDetection": {
              "badActor": {
                "detectionEnabled": false,
                "mitigationMode": "none",
                "signatureDetectionEnabled": false,
                "useApprovedSignaturesOnly": false
              },
              "operationMode": "off",
              "thresholdsMode": "manual",
              "escalationPeriod": 120,
              "deEscalationPeriod": 7200,
              "sourceIP": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "deviceID": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "geolocation": {
                "minimumShare": 10,
                "shareIncreaseRate": 500,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "rateLimitingMode": "rate-limit"
              },
              "url": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true,
                "heavyURLProtectionEnabled": true
              },
              "site": {
                "minimumTps": 40,
                "tpsIncreaseRate": 500,
                "maximumTps": 200,
                "minimumAutoTps": 5,
                "maximumAutoTps": 5000,
                "clientSideDefenseEnabled": false,
                "captchaChallengeEnabled": false,
                "rateLimitingEnabled": true
              }
            },
            "recordTraffic": {
              "maximumDuration": 10,
              "maximumSize": 10,
              "recordTrafficEnabled": false,
              "repetitionInterval": 10
            }
          },
          "network": {
            "dynamicSignatures": {
              "detectionMode": "enabled",
              "mitigationMode": "medium",
              "scrubbingEnabled": true,
              "scrubbingCategory": {
                "bigip": "/Common/botnets"
              },
              "scrubbingDuration": 60
            },
            "vectors": [{
                "type": "hop-cnt-low",
                "state": "learn-only",
                "thresholdMode": "manual",
                "rateThreshold": 40000,
                "rateIncreaseThreshold": 600,
                "rateLimit": 1000000,
                "simulateAutoThresholdEnabled": true,
                "badActorSettings": {
                  "enabled": true,
                  "sourceDetectionThreshold": 0,
                  "sourceMitigationThreshold": 0
                },
                "autoBlacklistSettings": {
                  "enabled": true,
                  "category": {
                    "bigip": "/Common/botnets"
                  },
                  "attackDetectionTime": 1,
                  "categoryDuration": 60,
                  "externalAdvertisementEnabled": true
                }
              }
            ]
          },
          "protocolDNS": {
            "vectors": [{
                "type": "ptr",
                "state": "mitigate",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 0,
                "autoAttackCeiling": 0
              }
            ]
          },
          "protocolSIP": {
            "vectors": [{
                "type": "cancel",
                "state": "disabled",
                "thresholdMode": "fully-automatic",
                "autoAttackFloor": 4294967295,
                "autoAttackCeiling": 4294967295,
                "rateIncreaseThreshold": 4294967295
              }
            ]
          },
          "whitelist": {
            "use": "addressList"
          },
          "applicationWhitelist": {
            "use": "addressListHTTP"
          }
        },
        "addressList": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.10"]
        },
        "addressListHTTP": {
          "class": "Firewall_Address_List",
          "addresses": ["10.0.0.11"]
        }
      }
    }
  }

Back to top

2: Using a DoS profile for Mobile Defense

This example shows how you can use a Denial of Service (DoS) profile in a declaration specific to mobile protection. See the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_dos_02.
  • A DoS profile with mobile defense enabled.
{
    "class": "ADC",
    "schemaVersion": "3.6.0",
    "id": "DOS_Profile",
    "Sample_dos_02": {
      "class": "Tenant",
      "Application": {
        "class": "Application",
        "template": "generic",
        "DOS_Profile": {
          "class": "DOS_Profile",
          "application": {
            "scrubbingDuration": 42,
            "remoteTriggeredBlackHoleDuration": 10,
            "mobileDefense": {
              "enabled": true,
              "allowAndroidPublishers": [{
                  "bigip": "/Common/default.crt"
                }
              ],
              "allowAndroidRootedDevice": true,
              "allowIosPackageNames": ["theName"],
              "allowJailbrokenDevices": true,
              "allowEmulators": true,
              "clientSideChallengeMode": "challenge"
            }
          }
        }
      }
    }
  }
  

Back to top

2: Using Accelerated Signatures and TLS Signatures in a DOS profile

This example shows how you can use Accelerated Signatures (enables signature detection before the connection establishment) and TLS Signatures (Enables TLS signature detection before the connection establishment) a Denial of Service (DoS) profile in a declaration. See Detecting and Preventing System DoS and DDoS Attacks in the AFM documentation for more information on the DOS profile, and DOS_Profile_Application_Stress_Based_Detection_Bad_Actor in the Schema Reference for AS3 usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named DOS_Profile_signatures.
  • A DoS profile with Accelerated Signatures and TLS Signatures enabled.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "DOS_Profile",
    "DOS_Profile_signatures": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "newDOS": {
                "class": "DOS_Profile",
                "application": {
                    "scrubbingDuration": 42,
                    "remoteTriggeredBlackHoleDuration": 10,
                    "stressBasedDetection": {
                        "badActor": {
                            "acceleratedSignaturesEnabled": true,
                            "tlsSignaturesEnabled": true
                        }
                    }
                }
            }
        }
    }
}

Back to top