Configuring L7 Behavioral DoS Protection with BIG-IQ Centralized Management

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites. (Managing DoS Profiles in Shared Security, BIG-IQ Centralized Management)

L7 Behavioral DoS (BaDOS) provides automatic protection against DDoS attacks by analyzing traffic behavior using machine learning and data analysis. Behavioral DoS examines traffic flowing between clients and application servers in data centers, automatically establishes the baseline traffic/flow, then dynamically builds signatures and implements various protections as needed based on the behavior of the application and the attackers, reducing false positives and providing quicker time to mitigation. (BIG-IP Application Security Manager: Implementations - Preventing DoS Attacks on Applications)

BIG-IQ Centralized Management allows the centralized management of BaDOS profiles, providing enhanced reporting and event correlation. This article will guide you through the configuration of BaDOS profiles using BIG-IQ CM User Interface.

It is assumed that the BIG-IP device where the BaDOS profile will be deployed is currently managed by the BIG-IQ cluster, at least one BIG-IQ Logging Node / Data Collection Device is available and the Virtual Server to be protected is already configured (in this example, Hackazon_BaDOS_protected) - the configuration of these elements will not be part of this article.

This article covers:

• configuring the BaDOS profile
• configuring DoS Logging
• monitoring DoS attacks

Configuration of the BaDOS profile

Go to Configuration->SECURITY->Shared Security->DoS profiles and create a new DoS Profile (in the example below, Hackazon_BaDOS).

Go to Application Security, enable it and configure Behavioral & Stress-based Detection, setting Operation Mode to Blocking, Thresholds Mode to Automatic, enabling Signature Detection and setting the Mitigation to Standard protection.

Note: As per BIG-IP Application Security Manager: Implementations - Preventing DoS Attacks on Applications v15.1, the available options for the configuration elements used in this examples are:

For Stress-based Detection and Mitigation, specify how to identify and stop DoS attacks. By default, source IP addresses and URLs are enabled to detect DoS attacks. You can specify other detection methods, and, if setting thresholds manually, adjust the thresholds for each of the settings as needed.

1. By Source IP - Specifies conditions for when to treat an IP address as an attacker. The system calculates one automatic threshold for the most accessed source IP addresses, and another threshold for the rest.
2. By Device ID - Specifies conditions for when to treat a device as an attacker. For automatic thresholds, one threshold is calculated for highly accessed device IDs, and another for the rest.
3. By Geolocation - Specifies when to treat a particular country as an attacker. If using automatic thresholds, the system calculates thresholds for the top 20 geolocations, setting different thresholds for every hour of the day. Thus, thresholds calculated at 9:00AM are based on data from 8:00-9:00AM, and are used at 8:00AM next day.
4. By URL - Specifies when the system treats a URL as under attack. For automatic thresholds, one threshold is calculated for highly accessed URLs, and another for the rest. (Heavy URLs are not included in the calculations.)
5. Site Wide Specifies conditions for how to determine when the entire web site is under attack. For automatic thresholds, one threshold is used sitewide.

At least one mitigation method must be selected before you can edit the detection settings. If the specified thresholds in the settings are reached, the system limits the number of requests per second to the history interval and uses the selected mitigation methods described here. These methods do not apply to Behavioral DoS.

1. Client Side Integrity Defense - Sends a JavaScript challenge to determine whether the client is a legal browser or an illegal script. Only used when the Operation Mode is set to Blocking.
2. CAPTCHA Challenge - Issues a CAPTCHA challenge to the traffic identified as suspicious by source IP address, geolocation, URL, or site wide.
3. Request Blocking - Specifies how and when to block (if the operation mode is set to Blocking) or report (if the operation mode is set to Transparent) suspicious requests. Select Block All to block all suspicious requests or Rate Limit to reduce the number of suspicious requests.

For the Behavioral Detection and Mitigation settings, specify how to mitigate DDoS attacks discovered based on behavior.

• Bad actors behavior detection - Lets the system identify IP addresses of bad actors by examining traffic behavior and anomaly detection.
• Request signatures detection - Examines requests and creates behavioral signatures describe patterns found in attacks the system has identified. Select Use approved signatures only if you want to verify that the system-generated signatures are valid before letting the system use them.
• Mitigation - Specifies the level of mitigation to perform for attacks discovered using behavioral DoS.
• Conservative Protection: If Bad actors behavior detection is enabled, slows down and rate limits requests from anomalous IP addresses based on anomaly detection confidence and server health. If Request signatures detection is enabled, blocks requests that match behavioral signatures.
• Standard Protection: If Bad actors behavior detection is enabled, slows down requests from anomalous IP addresses based on its anomaly detection confidence and server health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on server health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on server health. If Request signatures detection is enabled, blocks requests that match behavioral signatures.
• Aggressive Protection: If Bad actors behavior detection is enabled, does all that standard protection does plus it proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If Request signatures detection is enabled, blocks requests that match behavioral signatures. Increases the impact of blocked requests.
• No Mitigation: Learns and monitors traffic behavior, but takes no action.

For the Prevention Duration setting, specify the time spent in each mitigation step until deciding to move to the next mitigation step.

• Escalation Period - Specifies the minimum time spent in each mitigation step before the system moves to the next step when preventing attacks against an attacker IP address or attacked URL. During a DoS attack, the system performs attack prevention for the amount of time configured here for the mitigation methods that are enabled. If after this period the attack is not stopped, the system enforces the next enabled prevention step. Type a number between 1 and 3600. The default is 120 seconds.
• De-escalation Period - Specifies the time spent in the final escalation step until retrying the steps using the mitigation methods that are enabled. Type a number (greater than the escalation period) between 0 (meaning the steps are never retried) and 86400 seconds. The default value is 7200 seconds (2 hours).

Attach the Hackazon_BaDOS profile to the protected Virtual Server (in this example, Hackazon_BaDOS_protected): go to Configuration->SECURITY->Shared Security->Virtual Servers, click on Hackazon_BaDOS_protected VS and select the Hackazon_BaDOS profile for DoS profile.

Configuration of DoS Logging

Note: Ensure that the Logging Node / Data Collection Device has the DoS protection and Web Application Security services activated and the managed BIG-IP has LTM, SSM and ASM services Discovered/Imported.

On Configuration->SECURITY->Shared Security->Virtual Servers, select the Hackazon_BaDOS_protected VS and click on Configure DoS Logging button. The following objects will be created (if needed) and assigned:

• Logging Profile: dos-remote-logging-profile-asm
• Publisher: dos-remote-logging-publisher
• Log Destinations: dos-remote-logging-destination-remote-hslog
• Pools: dos-remote-logging-pool

Go to Deployment->EVALUATE & DEPLOY-> Local Traffic & Network, create a new Deployment.

Once the evaluation has finished, click on Deploy.

Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment.

Once the evaluation has finished, click on Deploy.

Monitoring DoS attacks

To monitor DoS attacks, go to the Monitoring->DASHBOARDS->DDoS->HTTP Analysis dashboard and the Monitoring->EVENTS->DoS->Application Events event log.

Note: The behavior observed in this example is that at the beginning of a DoS attack, BaDoS first protects by blocking all DoS traffic, incrementing "DoS Blocked" counter. Once the BaDoS dynamic signatures have been computed, BaDoS blocks only the traffic matching the dynamic signatures, incrementing the "Blocked Bad request" counter.

To observe the change in BaDoS profile behavior when individual bad actors are detected, go to Configuration->SECURITY->Shared Security->DoS profiles and modify the BaDoS profile by enabling Bad Actor Detection under the Behavioral Detection and Mitigation.

Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy.

On the HTTP Analysis DDoS Dashboard, you can observe the Blocked Bad Actor counter being incremented while Blocked Bad Requests stop incrementing as a result of bad actors being identified and being added to the grey list: