Understanding L3/4 and DNS Behavioral DoS Mitigation (BDoS)

Dear Reader,

In this article I am writing about another mitigation technology which runs in parallel to the other mitigation methods you can use on a BIG-IP: Dynamic Signatures. These Dynamic Signatures are created by the Behavioral DoS (BDoS) engine. This is a very smart and powerful mechanism to only drop attack traffic without touching legitimate traffic.

Introduction

We know that the CPU can do smart decisions and is usually able to differentiate between good and bad traffic. Frequently, this is simply accomplished by using the flow table. But, the CPU is limited in performance and this is when the FPGAs (Field Programmable Gate Arrays) come into play. This special purpose chips can handle massive numbers of packets but they are “stupid”. Therefore, the CPU needs to program them with detailed information about which packets should get dropped.

The static DoS vectors are relatively simple because they are based on limited attack information such as the protocol, flags, source IPs, destination IPs, and others. But they kick in very fast! This means they (vectors) can program the FPGAs within microseconds and protect the BIG-IP or service. The downside is that the FPGA cannot differentiate if for example a PUSH/ACK packet is valid or one of the attackers because there is not enough information provided. This is where Behavioral DoS can help.

How does BDoS work?

BDoS is about collecting and working with large amounts of statistical and traffic information. It collects the details that can be obtained from L3/4 and DNS. All this information is called “predicates” and the value of a predicate is called a “bin”. For example, the TTL of a packet is the predicate and it can have a value (bin) from 0-255.

 

By collecting this information all the time, the BDoS engine knows how packets usually look like. It knows the predicates and the bin values together with its rates. This provides a pretty good view on how traffic usually looks like and what the rates are for all this information. When an attack happens, the BDoS engine will be able to identify the ‘abnormal’ bins of the predicates and will create a dynamic signature with all these suspicious predicates. This will give a more precise description of the attack traffic then just saying rate limit “TCP PSH/ACK” packets. 

Figure 1: Statistical side model

A simple example

This example is just to explain the principle of BDoS and it uses a very limited set of predicates.

Imagine, based on historical information, the system knows that right at this time we usually see 50k PSH/ACK packets on the BIG-IP and all these packets have a TTL between 50 and 60. Further, the load on the BIG-IP is low and the numbers or packets as well as the associated TTL is within the expected norm.

Suddenly we see on top of this “normal” traffic 10Mpps of PSH/ACK packets with TTL of 30 and the load of the BIG-IP gets too high. BDoS needs to create a signature describing just the attack traffic to program it into the FPGA and lower the rate of packets going into the CPU.

Which PSH/ACK packets should be eliminated? It’s easy: the ones which are not fitting into the “normal”. Which in this case are the PSH/ACK packets with a TTL of 30.

Again, this is a very simplified and limited example because it only looks at the predicates protocol (TCP), flags (PSH/ACK), and TTL. In reality, it would of course require way more predicates to create a more specific signature.

Example of dynamic signatures

Figure 2: Example of a DNS dynamic signature

 

Figure 3: Example of a L3 dynamic signature

 

Behavioral DoS can also be used on HTTP and TLS traffic. But this is done via another Behavioral DoS Engine (BaDOS) which comes from Advanced WAF (A-WAF) and is also included in DDoS Hybrid Defender (DHD). I will discuss BaDOS in another article.

How to configure BDoS

BDoS can be used on the Device level of BIG-IP to protect the resources of the BIG-IP itself and also on a per Service level via a DoS profile attached to a PO/VS.

You can enable BDoS by configuring it on the Network and DNS layer. You simply need to click on the small pencil right of the relevant layer.

Figure 4: Network family layers

For BDoS you can choose between different Mitigation Modes: “Stress Based Mitigation” and “Manual Multiplier”. These modes are discussed in my article Explanation of F5 DDoS threshold modes.

Figure 5: Network properties

If you want to run BDoS in “detect only mode”, then you need to set the Mitigation Sensitivity to “None”. This is different than on the static vectors, where you set the state of the vector to “Detect Only”.

The same is true for the DoS profile where you can also enable BDoS for the Network and DNS layer and BaDOS for HTTP(S).

Here is a useful hint!

When you are under attack and the BIG-IP has generate a dynamic attack signature and mitigates based on stress, then the mitigation threshold gets continuously recalculated based on the health of the protected context (device or service). It will always let “some” traffic go through based on the sensitivity level you have configured. But, you have the ability to change the threshold mode from “Fully Automatic” to “Fully Manual” on the specific signatures and set the Mitigation threshold for example to “0”, which will then block the whole attack traffic via the BDOS signature. 

Figure 6: Dynamic signature with manual threshold

Custom Signatures

If you are aware of specific attack patterns or you simply want to have HW supported FW rules, then you can create your own signatures.

Figure 7: Add manual a signature

Under DoS Configuration > Signatures you can choose “Add Signature” in the “Persistent” tab.

Figure 8: add predicates to a manual signature

 

A simple example could be an NTP flood signatures, which kicks in if too many NTP packets hit the box.

Figure 9: manual NTP predicates

After you have created your custom signature you can configure the thresholds and mitigation state in the DoS profiles or on the Device DoS configuration.

Figure 10: manual threshold configuration of a manual NTP signature

To exclusively handle NTP traffic via this signature and not by the UDP vector, I recommend excluding port 123 from the UDP vector, like you should do with DNS traffic.

Figure 12: Exclude port 123 from UDP vector

Multilayer DDoS protection

Beginning with TMOS version 15, BDoS runs in the Hud-chain before the static DoS vectors. That means that when there is an attack, the static DoS vectors will kick in immediately and protect the service/network behind the BIG-IP and also the BIG-IP itself. Within the next seconds BDoS analyses the traffic and will generate a specific dynamic signature, which describes the attack traffic and will then rate-limit it.

Below you can see that F5 DDoS uses a multilayer DDoS approach. When we just look into L3/4 and what I have so far discussed in my articles, then we have covered the stateful engine with its PVA accelerated connection handling, protected by static DoS vectors which kick in in microseconds and then taken over by the granular behavioral DDoS (BDOS) within seconds.

 

Figure 12: Multi-layer DDoS mitigation architecture

 

From the figure you can see that there are even more protection mechanisms, which I will explain in my next articles.

Thank you, Sven Mueller

Published Jun 25, 2020
Version 1.0
  • Another great article with a very detailed explanation. Thanks for all the work.

  • Great Article with a lot of useful insights. Thank you for sharing this with the Community.