A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) makes a victim's resource unavailable to its intended users, or obstructs the communication media between the intended users and the victimized site so that they can no longer communicate adequately. Perpetrators of DoS attacks typically target sites or services, such as banks, credit card payment gateways, and e-commerce web sites. (Managing DoS Profiles in Shared Security, BIG-IQ Centralized Management)
L7 Behavioral DoS (BaDOS) provides automatic protection against DDoS attacks by analyzing traffic behavior using machine learning and data analysis. Behavioral DoS examines traffic flowing between clients and application servers in data centers, automatically establishes the baseline traffic/flow, then dynamically builds signatures and implements various protections as needed based on the behavior of the application and the attackers, reducing false positives and providing quicker time to mitigation. (BIG-IP Application Security Manager: Implementations - Preventing DoS Attacks on Applications)
BIG-IQ Centralized Management allows the centralized management of BaDOS profiles, providing enhanced reporting and event correlation. This article will guide you through the configuration of BaDOS profiles using BIG-IQ CM User Interface.
It is assumed that the BIG-IP device where the BaDOS profile will be deployed is currently managed by the BIG-IQ cluster, at least one BIG-IQ Logging Node / Data Collection Device is available and the Virtual Server to be protected is already configured (in this example, Hackazon_BaDOS_protected) - the configuration of these elements will not be part of this article.
This article covers:
Go to Configuration->SECURITY->Shared Security->DoS profiles and create a new DoS Profile (in the example below, Hackazon_BaDOS).
Go to Application Security, enable it and configure Behavioral & Stress-based Detection, setting Operation Mode to Blocking, Thresholds Mode to Automatic, enabling Signature Detection and setting the Mitigation to Standard protection.
Note: As per BIG-IP Application Security Manager: Implementations - Preventing DoS Attacks on Applications v15.1, the available options for the configuration elements used in this examples are:
For Stress-based Detection and Mitigation, specify how to identify and stop DoS attacks. By default, source IP addresses and URLs are enabled to detect DoS attacks. You can specify other detection methods, and, if setting thresholds manually, adjust the thresholds for each of the settings as needed.
At least one mitigation method must be selected before you can edit the detection settings. If the specified thresholds in the settings are reached, the system limits the number of requests per second to the history interval and uses the selected mitigation methods described here. These methods do not apply to Behavioral DoS.
For the Behavioral Detection and Mitigation settings, specify how to mitigate DDoS attacks discovered based on behavior.
For the Prevention Duration setting, specify the time spent in each mitigation step until deciding to move to the next mitigation step.
Attach the Hackazon_BaDOS profile to the protected Virtual Server (in this example, Hackazon_BaDOS_protected): go to Configuration->SECURITY->Shared Security->Virtual Servers, click on Hackazon_BaDOS_protected VS and select the Hackazon_BaDOS profile for DoS profile.
Note: Ensure that the Logging Node / Data Collection Device has the DoS protection and Web Application Security services activated and the managed BIG-IP has LTM, SSM and ASM services Discovered/Imported.
On Configuration->SECURITY->Shared Security->Virtual Servers, select the Hackazon_BaDOS_protected VS and click on Configure DoS Logging button. The following objects will be created (if needed) and assigned:
Go to Deployment->EVALUATE & DEPLOY-> Local Traffic & Network, create a new Deployment.
Once the evaluation has finished, click on Deploy.
Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment.
Once the evaluation has finished, click on Deploy.
To monitor DoS attacks, go to the Monitoring->DASHBOARDS->DDoS->HTTP Analysis dashboard and the Monitoring->EVENTS->DoS->Application Events event log.
Note: The behavior observed in this example is that at the beginning of a DoS attack, BaDoS first protects by blocking all DoS traffic, incrementing "DoS Blocked" counter. Once the BaDoS dynamic signatures have been computed, BaDoS blocks only the traffic matching the dynamic signatures, incrementing the "Blocked Bad request" counter.
To observe the change in BaDoS profile behavior when individual bad actors are detected, go to Configuration->SECURITY->Shared Security->DoS profiles and modify the BaDoS profile by enabling Bad Actor Detection under the Behavioral Detection and Mitigation.
Go to Deployment->EVALUATE & DEPLOY-> Shared Security, create a new Deployment. Once the evaluation has finished, click on Deploy.
On the HTTP Analysis DDoS Dashboard, you can observe the Blocked Bad Actor counter being incremented while Blocked Bad Requests stop incrementing as a result of bad actors being identified and being added to the grey list: