Following up on our previous article AFM Enhancements In BIG-IP v13, we'll narrow our discussion for this article to Denial-Of-Service (DoS) updates in v13. Architectural changes in BIG-IP's user interfaces now allows increased flexibility and easier DoS management. These and other changes in to AFM's DoS functionality should make your administrative tasks easier to complete and keep the proverbial firewall migraines to manageable pounding. Let's now journey through the magical world of BIG-IP v13 AFM.
Angular For The Win
Prior to BIG-IP version 13, viewing your DoS policy and actually managing your DoS policy was a segregated effort requiring separate "pages" to complete basic management tasks of a lot of DoS vectors. BIG-IP v13 retooled the management GUI using Angular framework which allows a dynamic interface so you can edit and view the vector lists at the same time. This is massively helpful when setting thresholds and you need to reference other polices simultaneously.
There are now two simplified methods to edit DoS vectors:
Individual: A pullout dialogue opens to the right of the selected vector as shown above
Bulk Edit: Apply changes to one or more vectors, select the checkbox for each one and click on of the following:
Vector States have 3 possible options:
Enforced: Detection and rate limiting are active
Not Enforced: Statistics are collected, detection is disabled, rate limiting is disabled
Disabled: Statistics are not collected, detection is disabled, rate limiting is disabled
Auto Threshold Status have 4 states; it's helpful to understand how these states when switching between static and automated thresholds.
Enabled: Device will track historic traffic levels for the vector and set detection and rate limit levels automatically, factoring in the auto threshold sensitivity
Disabled: Device uses static detection and rate limit levels for the vector if enabled but detect and rate limit values will be default or user specified static values
Allowed: The vector is disabled, but if enabled will use Auto Threshold
Not Allowed: The vector does not support Auto Threshold whether enabled or disabled
Note: The user interface will set a vector to enforced if you enable/disable Auto Threshold.
Updated DoS Overview page
Thanks again to the Agular-based user interface improvements, the DoS Overview allows a configuration/edit dynamic view. A user can select a DoS profile and virtual server or select virtual server directly from the filter settings and then view and edit the DoS policies applied to that virtual server (soooo niiiiice).
Administrators can filter the displayed vectors by attack status:
Show All: Displays all enabled vectors
Yellow Triangle (arrow to left): Detected display all vectors that have detected attacks
Red Hex (Dropped): Displays all vectors that have rate limited attacks and an attack ID.
Red Hex (None): Displays all vectors that have rate limited attacks but are in a transient state with no attack ID. This transient state quickly resolves to a dropped status with attack ID.
None: Shows all vectors for which no attacks have ben detected. This is helpful for identifying vectors that should have lower, more aggressive detection thresholds.
Virtual Server (Dos Protected)
Dos Attack - The user can review all attacks and drill down accordingly
Device DoS - The user can review config and status of the global Dos vectors
Netflow - User can review all vectors associated with a Netflow collector used fro out-of-band DoS detection.
Auto Thresholds added to Dos Profiles
Prior to BIG-IP v13, Auto Thresholds were available only at the global device configuration level. Now you may configure Auto Threshold at a profile level and apply them to virtual servers allowing for greater granular control for unique applications.
DoS profiles vectors are disabled by default
Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static.
Dynamic signatures are disabled
Auto Threshold sensitivity is configured per DoS profile.
Once update is clicked, the vector will no longer use it's static values. The UI will still report values from the previous static config. If manual config is selected the configured values are displayed.
Below we enable Auto Threshold for the ip-frag-flood DoS vector via TMSH.
Other DoS Changes To Make Life A Bit Simpler And Sweeter
Bad Actor Detection & Rate Limiting
Bad actor detection and rate limiting thresholds can now be automated. Prior to v13, volumetric DoS vectors supported bad actor detection with optional auto blacklisting but enforcement thresholds had to be set manually. Now thresholds can be set to automatic.
Auto Blacklist now available for single endpoint flood: Version 12 allowed Single Endpoint Sweep vectors to use Auto Blacklisting. V13 adds Single Endpoint Flood to the Auto Blacklist cool kids club.
Eviction Policies can now be viewed under Dos Protection
ICMP Type/Code invalid combinations are now tracked in the updated BAD ICMP Dos Vector
Syn Cookies are integrated with other DoS defense features via the new TCP Half Open Dos vector
It's a lot of random stuff to digest I know, but this is just some of the many changes to AFM's Dos functionality, the rest living under the hood and more geared towards making your life easier without you knowing it (or wanting to know about it). The changes illustrated above are a long time coming and welcome addition to the BIG-IP security stack. I encourage you to check them out either via evaluation or your Developer/Lab edition of BIG-IP. A big shoutout to James in our NPI team for helping out with documenting these and other changes to our AFM feature stack. Let us know what you think and if you have any questions feel free to drop us a line. Happy IT'ing.