AFM DoS Enhancements in BIG-IP v13

Following up on our previous article AFM Enhancements In BIG-IP v13, we'll narrow our discussion for this article to Denial-Of-Service (DoS) updates in v13. Architectural changes in BIG-IP's user interfaces now allows increased flexibility and easier DoS management. These and other changes in to AFM's DoS functionality should make your administrative tasks easier to complete and keep the proverbial firewall migraines to manageable pounding. Let's now journey through the magical world of BIG-IP v13 AFM.

Angular For The Win

Prior to BIG-IP version 13, viewing your DoS policy and actually managing your DoS policy was a segregated effort requiring separate "pages" to complete basic management tasks of a lot of DoS vectors. BIG-IP v13 retooled the management GUI using Angular framework which allows a dynamic interface so you can edit and view the vector lists at the same time. This is massively helpful when setting thresholds and you need to reference other polices simultaneously.

There are now two simplified methods to edit DoS vectors:

  • Individual: A pullout dialogue opens to the right of the selected vector as shown above
  • Bulk Edit: Apply changes to one or more vectors, select the checkbox for each one and click on of the following:
    • Enable AutoThreshold
    • Disable AutoThreshold
    • Enforce
    • Don't Enforce
    • Disable

Vector States have 3 possible options:

  • Enforced: Detection and rate limiting are active
  • Not Enforced: Statistics are collected, detection is disabled, rate limiting is disabled
  • Disabled: Statistics are not collected, detection is disabled, rate limiting is disabled

Auto Threshold Status have 4 states; it's helpful to understand how these states when switching between static and automated thresholds.

  • Enabled: Device will track historic traffic levels for the vector and set detection and rate limit levels automatically, factoring in the auto threshold sensitivity
  • Disabled: Device uses static detection and rate limit levels for the vector if enabled but detect and rate limit values will be default or user specified static values
  • Allowed: The vector is disabled, but if enabled will use Auto Threshold
  • Not Allowed: The vector does not support Auto Threshold whether enabled or disabled
Note: The user interface will set a vector to enforced if you enable/disable Auto Threshold.

Updated DoS Overview page

Thanks again to the Agular-based user interface improvements, the DoS Overview allows a configuration/edit dynamic view. A user can select a DoS profile and virtual server or select virtual server directly from the filter settings and then view and edit the DoS policies applied to that virtual server (soooo niiiiice).

Administrators can filter the displayed vectors by attack status:

  • Show All: Displays all enabled vectors
  • Yellow Triangle (arrow to left): Detected display all vectors that have detected attacks
  • Red Hex (Dropped): Displays all vectors that have rate limited attacks and an attack ID.
  • Red Hex (None): Displays all vectors that have rate limited attacks but are in a transient state with no attack ID. This transient state quickly resolves to a dropped status with attack ID.
  • None: Shows all vectors for which no attacks have ben detected. This is helpful for identifying vectors that should have lower, more aggressive detection thresholds.

Virtual Server (Dos Protected)

  • Dos Attack - The user can review all attacks and drill down accordingly
  • Device DoS - The user can review config and status of the global Dos vectors
  • Netflow - User can review all vectors associated with a Netflow collector used fro out-of-band DoS detection.

Auto Thresholds added to Dos Profiles

Prior to BIG-IP v13, Auto Thresholds were available only at the global device configuration level.  Now you may configure Auto Threshold at a profile level and apply them to virtual servers allowing for greater granular control for unique applications.

  • DoS profiles vectors are disabled by default
  • Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static.
  • Dynamic signatures are disabled
  • Auto Threshold sensitivity is configured per DoS profile.


Once update is clicked, the vector will no longer use it's static values.  The UI will still report values from the previous static config. If manual config is selected the configured values are displayed.

Below we enable Auto Threshold for the ip-frag-flood DoS vector via TMSH.

(tmos)# modify security dos profile dos-sausage dos-network modify { dos-sausage { network-attack-vector modify { ip-frag-flood { auto-threshold enabled } } } }

The completed vector modification can be also be viewed via TMSH:

(tmos)# list security dos profile dos-sausage 
security dos profile dos-sausage {
    app-service none
    description none
    dos-network {
        dos-sausage {
            dynamic-signatures {
                detection enabled
                mitigation low
            }
            network-attack-vector {
                ip-frag-flood {
                    allow-advertisement disabled
                    auto-blacklisting disabled
                    auto-threshold enabled
                    bad-actor disabled
                    blacklist-category denial_of_service
                    blacklist-detection-seconds 60
                    blacklist-duration 14400
                    ceiling infinite
                    enforce enabled
                    floor 100
                    per-source-ip-detection-pps infinite
                    per-source-ip-limit-pps infinite
                    simulate-auto-threshold disabled
                }
...

Other DoS Changes To Make Life A Bit Simpler And Sweeter

  • Bad Actor Detection & Rate Limiting
  • Bad actor detection and rate limiting thresholds can now be automated.  Prior to v13, volumetric DoS vectors supported bad actor detection with optional auto blacklisting but enforcement thresholds had to be set manually.  Now thresholds can be set to automatic.

  • Auto Blacklist now available for single endpoint flood: Version 12 allowed Single Endpoint Sweep vectors to use Auto Blacklisting.  V13 adds Single Endpoint Flood to the Auto Blacklist cool kids club.
  • Eviction Policies can now be viewed under Dos Protection
  • ICMP Type/Code invalid combinations are now tracked in the updated BAD ICMP Dos Vector
  • Syn Cookies are integrated with other DoS defense features via the new TCP Half Open Dos vector


It's a lot of random stuff to digest I know, but this is just some of the many changes to AFM's Dos functionality, the rest living under the hood and more geared towards making your life easier without you knowing it (or wanting to know about it).  The changes illustrated above are a long time coming and welcome addition to the BIG-IP security stack. I encourage you to check them out either via evaluation or your Developer/Lab edition of BIG-IP.  A big shoutout to James in our NPI team for helping out with documenting these and other changes to our AFM feature stack.  Let us know what you think and if you have any questions feel free to drop us a line.  Happy IT'ing.

Published Apr 01, 2017
Version 1.0
  • Body Content of article is missing(blank) for me, others are also getting same issue?

     

     

    Thanks,

     

    Sachin

     

  • @Sachin, yes same for me. PDF is blank except for title.

     

  • Hi,

     

    Very useful summary! Some questions popped up:

     

    Vector States:

     

    Not Enforced - Statistics are collected. I assume that statistics are only relevant for Auto-Threshold. So what is Manual Configuration is selected - statistics are still collected? If so is that mean that after changing to Auto-Threshold and Enforce collected statistics will be used immediately so setting detection and rate limit levels will be faster?

     

    Auto Threshold Status have 4 states section:

     

    Enabled - quite obvious

     

    Disabled - ...for the vector if enabled... what do you mena be enabled? Enforced?

     

    Allowed - this is complete mystery for me "The vector is disabled, but if enabled will use Auto Threshold" - vector state is Disabled but when set to Enforced (or enabled means something else?) Auto Threshold will automatically be used (Auto-Threshold Configuration radio button selected)? If so it seems not to be the case. When I am setting vector State to Enforce, Manual Configuration is selected. I am getting Allowed resulting in Auto-Threshold selected only after such steps (fresh config of DoS profile):

     

    vector with State: Disabled, Auto Threshold: Allow

     

    select vector, set to Enforce - Manual Configuration selected

     

    Change to Auto-Threshold Configuration, Update

     

    Edit vector again, set to Disabled, Update - Allowed listed (as before)

     

    Edit vector again, set to Enforced - now Auto-Threshold Configuration is selected

     

    Is that interface bug or I misunderstood explanation? For me Allowed means only that Auto-Threshold for given vector is supported by BIG-IP

     

    Not Enforced - I assume that this value in Auto Threshold is just to inform that for this vector there is no way to enable Auto-Threshold because system is not supporting this functionality, nothing that can be changed by user?

     

    Auto Threshold per VS - is DoS Profile for vectors enabled for it are collecting completely separate stats than those at Global level. So part of stat is collected both on Global and VS level (if given vector is enabled in both)?

     

    "Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static." - as already described seems to not work like that in v13.0.0.0.0.1645 VE

     

    Dynamic Signatures - are those signatures created by BDoS? Is that Network BDoS? If so can't find settings for that. BDoS seems to be only visible for Application tab of dos profile.

     

    "Auto Blacklist now available for single endpoint flood" - I can see this type of vector only in Device Configuration:Network Security. In DoS Profile there is only Sweep - is this Sweep vector covering both Single Endpoint Sweep and Single Endpoint Flood?

     

    Is there any reason why vector list at Device level has different layout/look that in DoS Profile?

     

    Piotr