Forum Discussion

Nathaneil_Balag's avatar
Nathaneil_Balag
Icon for Nimbostratus rankNimbostratus
Nov 19, 2015

F5 DOS problem.

Hi guys,   Just want to ask why F5 mitigate and log DDOS attack even if I dont have any DOS and Log profile on my Virtual Servers.   Thank you.   Regards  
BIG-IP
LTM
security
Austin_Geraci's avatar
Austin_Geraci
Icon for MVP rankMVP
Nov 20, 2015

Here is a good SOL that covers DDOS and the BIG-IP, SYN floods are just one type of DDOS attack the BIG-IP can help mitigate. [https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14813.html](SOL14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x))

 

If you have one of the bigger appliances, like the the 5000 series, they come with hardware syn cookie protection. You can enable syn-cookie-status on a per virtual server basis, disabled by default, but enabled by default with some profiles like TCP & FastL4 for "hardware" syn flood protection. Also enabled on Self-IPs. It's worth noting you need auto last hop enabled for hardware syn cookie protection to work.

 

From tmsh:

 

root@(BIG-IP-VE-1)(cfg-sync Standalone)(ModuleNotLicensed:Active)(/Common)(tmos) list ltm virtual test_443 syn-cookie-status

 

ltm virtual test_443 { syn-cookie-status not-activated }

 

You can also look in /var/log/ltm for syn cookie threshold messages. Take your time and read the article, there is a lot of good "starting" information in it. Out of the box f5s BIG-IP has an arsenal of DDOS protection, it doesn't stop at SYN floods. Here is a quick list from the SOL of DDOS attacks and how big-ip mitigates them:

 

Attack------- Mitigation

 

SYN flood -- SYN cookie protection

 

ICMP flood -- Maximum reject rate

 

Peer-to-peer --The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

 

IP fragmentation -- The BIG-IP system drops IP fragments that fail to meet a certain threshold, unless the fragment is the last in a communication.

 

Slowloris -- iRules can filter out well-known attacks.

 

UDP flood -- UDP idle session timeout

 

Ping of death -- The BIG-IP system is hardened to resist this attack. If the attack is against a virtual server with the Any IP feature enabled, then these packets are sent on to the server.

 

Land --The BIG-IP system is hardened to resist this attack, and does not send this type of packet to the server.

 

Teardrop -- The BIG-IP system correctly checks frame alignment and discards improperly aligned fragments to process these attacks.

 

Data attack -- The BIG-IP system is a port-deny device, and prevents many common exploits by not passing the attack through to the server.

 

Nuke --The BIG-IP system denies ports unless they are specifically enabled.

 

Sub 7 -- The BIG-IP system denies high ports unless they are specifically enabled.