Following up on our previous article AFM Enhancements In BIG-IP v13, we'll narrow our discussion for this article to Denial-Of-Service (DoS) updates in v13. Architectural changes in BIG-IP's user interfaces now allows increased flexibility and easier DoS management. These and other changes in to AFM's DoS functionality should make your administrative tasks easier to complete and keep the proverbial firewall migraines to manageable pounding. Let's now journey through the magical world of BIG-IP v13 AFM.

Angular For The Win

Prior to BIG-IP version 13, viewing your DoS policy and actually managing your DoS policy was a segregated effort requiring separate "pages" to complete basic management tasks of a lot of DoS vectors. BIG-IP v13 retooled the management GUI using Angular framework which allows a dynamic interface so you can edit and view the vector lists at the same time. This is massively helpful when setting thresholds and you need to reference other polices simultaneously.

DevCentral AFM New Angular Interface

There are now two simplified methods to edit DoS vectors:

  • Individual: A pullout dialogue opens to the right of the selected vector as shown above
  • Bulk Edit: Apply changes to one or more vectors, select the checkbox for each one and click on of the following:
    • Enable AutoThreshold
    • Disable AutoThreshold
    • Enforce
    • Don't Enforce
    • Disable

Vector States have 3 possible options:

  • Enforced: Detection and rate limiting are active
  • Not Enforced: Statistics are collected, detection is disabled, rate limiting is disabled
  • Disabled: Statistics are not collected, detection is disabled, rate limiting is disabled

Auto Threshold Status have 4 states; it's helpful to understand how these states when switching between static and automated thresholds.

  • Enabled: Device will track historic traffic levels for the vector and set detection and rate limit levels automatically, factoring in the auto threshold sensitivity
  • Disabled: Device uses static detection and rate limit levels for the vector if enabled but detect and rate limit values will be default or user specified static values
  • Allowed: The vector is disabled, but if enabled will use Auto Threshold
  • Not Allowed: The vector does not support Auto Threshold whether enabled or disabled
Note: The user interface will set a vector to enforced if you enable/disable Auto Threshold.

Updated DoS Overview page

Thanks again to the Agular-based user interface improvements, the DoS Overview allows a configuration/edit dynamic view. A user can select a DoS profile and virtual server or select virtual server directly from the filter settings and then view and edit the DoS policies applied to that virtual server (soooo niiiiice).

DevCentral DoS Overview

Administrators can filter the displayed vectors by attack status:

  • Show All: Displays all enabled vectors
  • Yellow Triangle (arrow to left): Detected display all vectors that have detected attacks
  • Red Hex (Dropped): Displays all vectors that have rate limited attacks and an attack ID.
  • Red Hex (None): Displays all vectors that have rate limited attacks but are in a transient state with no attack ID. This transient state quickly resolves to a dropped status with attack ID.
  • None: Shows all vectors for which no attacks have ben detected. This is helpful for identifying vectors that should have lower, more aggressive detection thresholds.

Virtual Server (Dos Protected)

  • Dos Attack - The user can review all attacks and drill down accordingly
  • Device DoS - The user can review config and status of the global Dos vectors
  • Netflow - User can review all vectors associated with a Netflow collector used fro out-of-band DoS detection.

Auto Thresholds added to Dos Profiles

Prior to BIG-IP v13, Auto Thresholds were available only at the global device configuration level.  Now you may configure Auto Threshold at a profile level and apply them to virtual servers allowing for greater granular control for unique applications.

  • DoS profiles vectors are disabled by default
  • Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static.
  • Dynamic signatures are disabled
  • Auto Threshold sensitivity is configured per DoS profile.


Once update is clicked, the vector will no longer use it's static values.  The UI will still report values from the previous static config. If manual config is selected the configured values are displayed.

Below we enable Auto Threshold for the ip-frag-flood DoS vector via TMSH.

(tmos)# modify security dos profile dos-sausage dos-network modify { dos-sausage { network-attack-vector modify { ip-frag-flood { auto-threshold enabled } } } }

The completed vector modification can be also be viewed via TMSH:

(tmos)# list security dos profile dos-sausage 
security dos profile dos-sausage {
    app-service none
    description none
    dos-network {
        dos-sausage {
            dynamic-signatures {
                detection enabled
                mitigation low
            }
            network-attack-vector {
                ip-frag-flood {
                    allow-advertisement disabled
                    auto-blacklisting disabled
                    auto-threshold enabled
                    bad-actor disabled
                    blacklist-category denial_of_service
                    blacklist-detection-seconds 60
                    blacklist-duration 14400
                    ceiling infinite
                    enforce enabled
                    floor 100
                    per-source-ip-detection-pps infinite
                    per-source-ip-limit-pps infinite
                    simulate-auto-threshold disabled
                }
...

Other DoS Changes To Make Life A Bit Simpler And Sweeter

  • Bad Actor Detection & Rate Limiting
  • Bad actor detection and rate limiting thresholds can now be automated.  Prior to v13, volumetric DoS vectors supported bad actor detection with optional auto blacklisting but enforcement thresholds had to be set manually.  Now thresholds can be set to automatic.

DevCentral Bad Actor Detection

  • Auto Blacklist now available for single endpoint flood: Version 12 allowed Single Endpoint Sweep vectors to use Auto Blacklisting.  V13 adds Single Endpoint Flood to the Auto Blacklist cool kids club.
  • Eviction Policies can now be viewed under Dos Protection
  • ICMP Type/Code invalid combinations are now tracked in the updated BAD ICMP Dos Vector
  • Syn Cookies are integrated with other DoS defense features via the new TCP Half Open Dos vector


It's a lot of random stuff to digest I know, but this is just some of the many changes to AFM's Dos functionality, the rest living under the hood and more geared towards making your life easier without you knowing it (or wanting to know about it).  The changes illustrated above are a long time coming and welcome addition to the BIG-IP security stack. I encourage you to check them out either via evaluation or your Developer/Lab edition of BIG-IP.  A big shoutout to James in our NPI team for helping out with documenting these and other changes to our AFM feature stack.  Let us know what you think and if you have any questions feel free to drop us a line.  Happy IT'ing.