F5 DOS problem.

Aren't you talking about syn-cookie protection? Check if this document sounds familiar to you: SOL14779: Overview of BIG-IP SYN cookie protection (11.3.x - 11.6.x).

Here is a good SOL that covers DDOS and the BIG-IP, SYN floods are just one type of DDOS attack the BIG-IP can help mitigate. [https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14813.html](SOL14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x))

If you have one of the bigger appliances, like the the 5000 series, they come with hardware syn cookie protection. You can enable syn-cookie-status on a per virtual server basis, disabled by default, but enabled by default with some profiles like TCP & FastL4 for "hardware" syn flood protection. Also enabled on Self-IPs. It's worth noting you need auto last hop enabled for hardware syn cookie protection to work.

From tmsh:

root@(BIG-IP-VE-1)(cfg-sync Standalone)(ModuleNotLicensed:Active)(/Common)(tmos) list ltm virtual test_443 syn-cookie-status

ltm virtual test_443 { syn-cookie-status not-activated }

You can also look in /var/log/ltm for syn cookie threshold messages. Take your time and read the article, there is a lot of good "starting" information in it. Out of the box f5s BIG-IP has an arsenal of DDOS protection, it doesn't stop at SYN floods. Here is a quick list from the SOL of DDOS attacks and how big-ip mitigates them:

Attack------- Mitigation

SYN flood -- SYN cookie protection

ICMP flood -- Maximum reject rate

Peer-to-peer --The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

IP fragmentation -- The BIG-IP system drops IP fragments that fail to meet a certain threshold, unless the fragment is the last in a communication.

Slowloris -- iRules can filter out well-known attacks.

UDP flood -- UDP idle session timeout

Ping of death -- The BIG-IP system is hardened to resist this attack. If the attack is against a virtual server with the Any IP feature enabled, then these packets are sent on to the server.

Land --The BIG-IP system is hardened to resist this attack, and does not send this type of packet to the server.

Teardrop -- The BIG-IP system correctly checks frame alignment and discards improperly aligned fragments to process these attacks.

Data attack -- The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

Nuke --The BIG-IP system denies ports unless they are specifically enabled.

Sub 7 -- The BIG-IP system denies high ports unless they are specifically enabled.

Hi everyone,

Thank you for all your suggestion. I am still testing it on my VM LAB.

Regards