Forum Discussion

Jonathan_George's avatar
Jonathan_George
Historic F5 Account
Dec 15, 2010

DDoS attack prevention in LTM

Last week's multiple distributed denial-of-service (DDoS) attacks have led to a fresh interest in how to secure a website and networks against such an invasion. DoS/DDoS attacks are becoming an increasingly common way of bringing down websites and causing network performance degradation. Hackers use a botnet of compromised PCs that are controllable via the ‘Low Orbit Ion Cannon' (LOIC), which is used to direct PC traffic towards delivering a DoS attack.

 

 

However, BIG-IP Local Traffic Manager helps protect against network DoS and DDoS threats. When using LTM, you can protect against network DoS attacks and increase end-user application performance with accurate triggers and controls. In BIG-IP LTM, there are a couple of changes you can make in tightening the configuration and monitoring messages to ensure the LTM helps protect against DoS and DDoS attacks.

 

 

1. Lower the default TCP connection timeouts in the TCP profile.

 

2. Lower the Reaper percents from low 85 / high 95 to low 75 / high 90.

 

a. This means fewer connections are held open, but means the LTM will be more aggressive cleaning out idle

 

connections during a TCP connection flood.

 

3. Analyze the typical and maximum HTTP header size, including cookies, that should legitimately be seen.

 

a. The default maximum on LTM is 32k.

 

b. This should be lowered if your average is 4k and max possible is 8k.

 

c. In this example, setting the max header size to 16 should adequately ensure no false positives (resulting in

 

rejected connections), while helping to ensure a number of HTTP header based DoS attacks are better handled.

 

 

Monitor /var/log/ltm for messages such as:

 

• Sweeper imitated - this means the reapers have kicked in due to high TCP connection counts and high memory

 

utilization

 

• ICMP messages limited to 250 - Usually a ping or form of ICMP attack encountered and being mitigated

 

• SYNcookie activated - SYN flood attack encountered

 

• HTTP header size exceeding 32k length - often from SlowLoris or similar HTTP header attack

 

 

Once configured, BIG-IP LTM's approach to network DoS and DDoS attacks is an attack mitigation configuration that protects core infrastructure when an attack occurs. For more information review the LTM manual on how to Mitigate Denial of Service attacks at: http://support.f5.com/kb/en-us/prod...r=11673465

2 Replies

  • Good stuff Jonathan. Also a good reason to avoid the FastHTTP Virtual Servers.
  • Hi Jonanthan, Good day! In version 12.1.4 I am unable to find the Reaper percents. Is that supposed to be in the TCP Profile?