For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nathaneil_Balag's avatar
Nathaneil_Balag
Icon for Nimbostratus rankNimbostratus
Nov 20, 2015

F5 DOS problem.

Hi guys,

 

Just want to ask why F5 mitigate and log DDOS attack even if I dont have any DOS and Log profile on my Virtual Servers.

 

Thank you.

 

Regards

 

BIG-IP
LTM
security

4 Replies

  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Nov 20, 2015

    Here is a good SOL that covers DDOS and the BIG-IP, SYN floods are just one type of DDOS attack the BIG-IP can help mitigate. [https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14813.html](SOL14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x))

     

    If you have one of the bigger appliances, like the the 5000 series, they come with hardware syn cookie protection. You can enable syn-cookie-status on a per virtual server basis, disabled by default, but enabled by default with some profiles like TCP & FastL4 for "hardware" syn flood protection. Also enabled on Self-IPs. It's worth noting you need auto last hop enabled for hardware syn cookie protection to work.

     

    From tmsh:

     

    root@(BIG-IP-VE-1)(cfg-sync Standalone)(ModuleNotLicensed:Active)(/Common)(tmos) list ltm virtual test_443 syn-cookie-status

     

    ltm virtual test_443 { syn-cookie-status not-activated }

     

    You can also look in /var/log/ltm for syn cookie threshold messages. Take your time and read the article, there is a lot of good "starting" information in it. Out of the box f5s BIG-IP has an arsenal of DDOS protection, it doesn't stop at SYN floods. Here is a quick list from the SOL of DDOS attacks and how big-ip mitigates them:

     

    Attack------- Mitigation

     

    SYN flood -- SYN cookie protection

     

    ICMP flood -- Maximum reject rate

     

    Peer-to-peer --The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

     

    IP fragmentation -- The BIG-IP system drops IP fragments that fail to meet a certain threshold, unless the fragment is the last in a communication.

     

    Slowloris -- iRules can filter out well-known attacks.

     

    UDP flood -- UDP idle session timeout

     

    Ping of death -- The BIG-IP system is hardened to resist this attack. If the attack is against a virtual server with the Any IP feature enabled, then these packets are sent on to the server.

     

    Land --The BIG-IP system is hardened to resist this attack, and does not send this type of packet to the server.

     

    Teardrop -- The BIG-IP system correctly checks frame alignment and discards improperly aligned fragments to process these attacks.

     

    Data attack -- The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

     

    Nuke --The BIG-IP system denies ports unless they are specifically enabled.

     

    Sub 7 -- The BIG-IP system denies high ports unless they are specifically enabled.

     

  • Nathaneil_Balag's avatar
    Nathaneil_Balag
    Icon for Nimbostratus rankNimbostratus
    Nov 25, 2015

    Hi everyone,

     

    Thank you for all your suggestion. I am still testing it on my VM LAB.

     

    Regards

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Nov 28, 2015
      if you feel one of the answers was good please flag it as an answer to your question.