on 01-Apr-2017 04:00
Following up on our previous article AFM Enhancements In BIG-IP v13, we'll narrow our discussion for this article to Denial-Of-Service (DoS) updates in v13. Architectural changes in BIG-IP's user interfaces now allows increased flexibility and easier DoS management. These and other changes in to AFM's DoS functionality should make your administrative tasks easier to complete and keep the proverbial firewall migraines to manageable pounding. Let's now journey through the magical world of BIG-IP v13 AFM.
Prior to BIG-IP version 13, viewing your DoS policy and actually managing your DoS policy was a segregated effort requiring separate "pages" to complete basic management tasks of a lot of DoS vectors. BIG-IP v13 retooled the management GUI using Angular framework which allows a dynamic interface so you can edit and view the vector lists at the same time. This is massively helpful when setting thresholds and you need to reference other polices simultaneously.
There are now two simplified methods to edit DoS vectors:
Vector States have 3 possible options:
Auto Threshold Status have 4 states; it's helpful to understand how these states when switching between static and automated thresholds.
Thanks again to the Agular-based user interface improvements, the DoS Overview allows a configuration/edit dynamic view. A user can select a DoS profile and virtual server or select virtual server directly from the filter settings and then view and edit the DoS policies applied to that virtual server (soooo niiiiice).
Administrators can filter the displayed vectors by attack status:
Virtual Server (Dos Protected)
Prior to BIG-IP v13, Auto Thresholds were available only at the global device configuration level. Now you may configure Auto Threshold at a profile level and apply them to virtual servers allowing for greater granular control for unique applications.
Once update is clicked, the vector will no longer use it's static values. The UI will still report values from the previous static config. If manual config is selected the configured values are displayed.
Below we enable Auto Threshold for the ip-frag-flood DoS vector via TMSH.
(tmos)# modify security dos profile dos-sausage dos-network modify { dos-sausage { network-attack-vector modify { ip-frag-flood { auto-threshold enabled } } } }
The completed vector modification can be also be viewed via TMSH:
(tmos)# list security dos profile dos-sausage security dos profile dos-sausage { app-service none description none dos-network { dos-sausage { dynamic-signatures { detection enabled mitigation low } network-attack-vector { ip-frag-flood { allow-advertisement disabled auto-blacklisting disabled auto-threshold enabled bad-actor disabled blacklist-category denial_of_service blacklist-detection-seconds 60 blacklist-duration 14400 ceiling infinite enforce enabled floor 100 per-source-ip-detection-pps infinite per-source-ip-limit-pps infinite simulate-auto-threshold disabled } ...
It's a lot of random stuff to digest I know, but this is just some of the many changes to AFM's Dos functionality, the rest living under the hood and more geared towards making your life easier without you knowing it (or wanting to know about it). The changes illustrated above are a long time coming and welcome addition to the BIG-IP security stack. I encourage you to check them out either via evaluation or your Developer/Lab edition of BIG-IP. A big shoutout to James in our NPI team for helping out with documenting these and other changes to our AFM feature stack. Let us know what you think and if you have any questions feel free to drop us a line. Happy IT'ing.
Body Content of article is missing(blank) for me, others are also getting same issue?
Thanks,
Sachin
Hi,
Very useful summary! Some questions popped up:
Vector States:
Not Enforced - Statistics are collected. I assume that statistics are only relevant for Auto-Threshold. So what is Manual Configuration is selected - statistics are still collected? If so is that mean that after changing to Auto-Threshold and Enforce collected statistics will be used immediately so setting detection and rate limit levels will be faster?
Auto Threshold Status have 4 states section:
Enabled - quite obvious
Disabled - ...for the vector if enabled... what do you mena be enabled? Enforced?
Allowed - this is complete mystery for me "The vector is disabled, but if enabled will use Auto Threshold" - vector state is Disabled but when set to Enforced (or enabled means something else?) Auto Threshold will automatically be used (Auto-Threshold Configuration radio button selected)? If so it seems not to be the case. When I am setting vector State to Enforce, Manual Configuration is selected. I am getting Allowed resulting in Auto-Threshold selected only after such steps (fresh config of DoS profile):
vector with State: Disabled, Auto Threshold: Allow
select vector, set to Enforce - Manual Configuration selected
Change to Auto-Threshold Configuration, Update
Edit vector again, set to Disabled, Update - Allowed listed (as before)
Edit vector again, set to Enforced - now Auto-Threshold Configuration is selected
Is that interface bug or I misunderstood explanation? For me Allowed means only that Auto-Threshold for given vector is supported by BIG-IP
Not Enforced - I assume that this value in Auto Threshold is just to inform that for this vector there is no way to enable Auto-Threshold because system is not supporting this functionality, nothing that can be changed by user?
Auto Threshold per VS - is DoS Profile for vectors enabled for it are collecting completely separate stats than those at Global level. So part of stat is collected both on Global and VS level (if given vector is enabled in both)?
"Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static." - as already described seems to not work like that in v13.0.0.0.0.1645 VE
Dynamic Signatures - are those signatures created by BDoS? Is that Network BDoS? If so can't find settings for that. BDoS seems to be only visible for Application tab of dos profile.
"Auto Blacklist now available for single endpoint flood" - I can see this type of vector only in Device Configuration:Network Security. In DoS Profile there is only Sweep - is this Sweep vector covering both Single Endpoint Sweep and Single Endpoint Flood?
Is there any reason why vector list at Device level has different layout/look that in DoS Profile?
Piotr
Dear Chase, are there some cli command to show "bad actor" ip?, Does anyone know?