摘自于 http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7301a.html,如下是该链接的全部内容。
The BIG-IP system is a secure device in its default configuration. The BIG-IP system denies all traffic except for the traffic types that you specifically identify, which provides for enhanced security because you control the traffic that is allowed to pass through the BIG-IP system based on the configuration.
Although the BIG-IP system is designed as a deny-by-default device, configuration options are available to mitigate the effects of denial of service (DoS) and other attacks.
Global Settings
Adaptive connection reaping
Global Settings
Adaptive connection reaping
Adaptive reaping is a global setting that allows the BIG-IP system to remove connections from its connection table when the connection load surpasses a defined percentage of memory usage.
To mitigate DoS attacks, you can configure low-water mark and high-water mark thresholds, as follows:
The low-water mark threshold determines the percentage of memory usage at which the system silently purges stale connections from the connection table. When the memory usage remains above the low-water mark, adaptive reaping becomes more aggressive and active connections closest to their service timeout are purged by the BIG-IP system.
The high-water mark threshold determines the percentage of memory usage at which the system prevents new connections from being established. When the memory usage exceeds the high-water mark, the BIG-IP system does not accept new connections until the memory usage drops below the low-water mark threshold.
The low-water mark threshold determines the percentage of memory usage at which the system silently purges stale connections from the connection table. When the memory usage remains above the low-water mark, adaptive reaping becomes more aggressive and active connections closest to their service timeout are purged by the BIG-IP system.
The high-water mark threshold determines the percentage of memory usage at which the system prevents new connections from being established. When the memory usage exceeds the high-water mark, the BIG-IP system does not accept new connections until the memory usage drops below the low-water mark threshold.
Note: Adaptive connection reaping does not apply to SSL proxy connections. However, you can set TCP and UDP connection timeouts that reap idle SSL connections.
To configure adaptive connection reaping on the BIG-IP system, perform the following procedure:
Log in to the Configuration utility.
Click System.
Click General Properties for version 9.x, or Configuration for version 10.x.
Select General from the Local Traffic drop-down menu.
In the Properties section, set the Reaper High-water Mark and Reaper Low-water Mark settings.
Log in to the Configuration utility.
Click System.
Click General Properties for version 9.x, or Configuration for version 10.x.
Select General from the Local Traffic drop-down menu.
In the Properties section, set the Reaper High-water Mark and Reaper Low-water Mark settings.
Note: You can disable adaptive connection reaping by setting both values to 100.
Click Update.
Click Update.
Adaptive connection reaping events such as the following, are logged to the /var/log/ltm log file:
tmm tmm[714]: 011e0002:4: sweeper_update: aggressive mode activated. (117504/138240 pages)
tmm tmm[714]: 011e0002:4: sweeper_update: aggressive mode deactivated. (117503/138240 pages)
SYN flood protection
SYN flood protection
The BIG-IP system includes a feature known as SYN Check, which helps prevent the BIG-IP SYN queue from becoming full during a SYN flood attack. The SYN Check Activation Threshold setting indicates the number of new TCP connections that can be established before the BIG-IP LTM activates the SYN Cookies authentication method for subsequent TCP connections. When the BIG-IP LTM activates the SYN Cookies authentication method, the system does not need to keep the SYN-RECEIVED state that is normally stored in the connection table for the initiated session. Because the SYN-RECEIVED state is not kept for a connection, the SYN queue cannot be exhausted, and normal TCP communication can continue.
Note: For more information about BIG-IP SYN cookie protection, refer to SOL7847: Overview of BIG-IP SYN cookie protection.
The default value for the SYN Check Activation Threshold setting is 16384 connections. To adjust the SYN Check Activation Threshold, perform the following procedure:
Log in to the Configuration utility.
Click System.
Click General Properties for version 9.x or click Configuration for version 10.x.
Select General from the Local Traffic drop-down menu.
Enter the desired value in the SYN Check Activation Threshold box.
Click Update.
BigDB settings
The TM.MaxRejectRate BigDB key can reduce the effects of a DoS attack by allowing you to limit the number of TCP RSTs or ICMP unreachable packets that the BIG-IP sends in response to incoming connections that cannot be matched with virtual server connections.
Log in to the Configuration utility.
Click System.
Click General Properties for version 9.x or click Configuration for version 10.x.
Select General from the Local Traffic drop-down menu.
Enter the desired value in the SYN Check Activation Threshold box.
Click Update.
BigDB settings
The TM.MaxRejectRate BigDB key can reduce the effects of a DoS attack by allowing you to limit the number of TCP RSTs or ICMP unreachable packets that the BIG-IP sends in response to incoming connections that cannot be matched with virtual server connections.
Note: For more information, refer to SOL9259: Limiting the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets.
The TM.MaxICMPRate BigDB key can reduce the effects of a DoS attack by allowing you to limit the number of responses the BIG-IP LTM will send for ICMP errors and ICMP unreachable events.
The TM.MaxICMPRate BigDB key can reduce the effects of a DoS attack by allowing you to limit the number of responses the BIG-IP LTM will send for ICMP errors and ICMP unreachable events.
Note: For more information, refer to SOL7113: Limiting responses from BIG-IP LTM for ICMP errors and ICMP Unreachable events.
DoS prevention configuration
TCP and UDP profile connection timers
DoS prevention configuration
TCP and UDP profile connection timers
Unacknowledged SYN packets and stale connections can cause the BIG-IP system's memory utilization to increase, leaving less system resources for legitimate connections. Lowering the TCP and UDP timers in the profile can remove unacknowledged SYN packets and stale connections from the connection table.
You can adjust the TCP and UDP timers in the TCP and UDP profiles. You should set these timers for the services that you use for your virtual servers.
For example, to adjust the TCP timer in the profile used for HTTP traffic, perform the following procedure:
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocol drop-down menu, select TCP.
Click the TCP profile that is associated with your HTTP virtual server.
In the Settings section, check the Idle Timeout check box.
Type the new timeout value in the field.
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocol drop-down menu, select TCP.
Click the TCP profile that is associated with your HTTP virtual server.
In the Settings section, check the Idle Timeout check box.
Type the new timeout value in the field.
For example, you would type 60 seconds for HTTP or SSL connections.
Click Update.
TCP profile settings
Click Update.
TCP profile settings
Maximum Segment Retransmissions
The Maximum Segment Retransmissions setting specifies the maximum number of data segment retransmissions that the BIG-IP system allows. The default is eight retransmissions. When the default number of retransmissions is exceeded, TMM resets the TCP connection to avoid resource starvation during a potential DoS attack.
The Maximum Syn Retransmissions setting specifies the maximum number of times that the BIG-IP system retransmits a SYN packet when it does not receive a corresponding SYN-ACK. The default is four retransmissions.
To change either the Maximum Segment Retransmission setting or the Maximum Syn Retransmissions setting, perform the following procedure:
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocols menu, select TCP.
Select the relevant TCP profile.
Change the Maximum Segment Retransmission setting or the Maximum Syn Retransmissions setting, as necessary.
Click Update.
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocols menu, select TCP.
Select the relevant TCP profile.
Change the Maximum Segment Retransmission setting or the Maximum Syn Retransmissions setting, as necessary.
Click Update.
Deferred Accept
The Deferred Accept option specifies that the BIG-IP system does not dedicate resources to the connection until the system has received the data packet from the client. This setting is useful when negotiating three-way handshake DoS attacks.
By default, the Deferred Accept option is disabled on the BIG-IP LTM.
To enable the Deferred Accept setting, perform the following procedure:
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocols menu, select TCP.
Select the relevant TCP profile.
Select the Deferred Accept box.
Click Update.
Log in to the Configuration utility.
Click Local Traffic.
Click Profiles.
From the Protocols menu, select TCP.
Select the relevant TCP profile.
Select the Deferred Accept box.
Click Update.
Note: The Deferred Accept option is not compatible with some applications. For more information, refer to SOL4654: The Deferred Accept TCP Profile option is not compatible with some applications.
IP rate class
IP rate class
A rate class is a rate-shaping policy that allows you to enforce a throughput restriction on incoming traffic. To implement a rate-shaping policy, you must create a rate class, and then apply the rate class to the virtual server. For example, you can create an IP rate class of 30 Mbps, with a maximum queue size of 2 Mbps.
Note: In BIG-IP versions 9.x and 10.x, the rate class module requires a license key.
To create a rate class, perform the following procedure:
Log in to the Configuration utility.
Click Local Traffic (click Network in version 10.x).
Click Rate Shaping.
Click Create.
Type a name for the Rate Class.
In the Base Rate box, type 2000000 (2 Mbps).
In the Ceiling Rate box, type 30000000 (30 Mbps).
In the Burst Size box, type 500 and select Megabytes from the list.
From the Direction list, select Any.
From the Queue Discipline list, select Stochastic Fair Queue.
Click Finished.
Log in to the Configuration utility.
Click Local Traffic (click Network in version 10.x).
Click Rate Shaping.
Click Create.
Type a name for the Rate Class.
In the Base Rate box, type 2000000 (2 Mbps).
In the Ceiling Rate box, type 30000000 (30 Mbps).
In the Burst Size box, type 500 and select Megabytes from the list.
From the Direction list, select Any.
From the Queue Discipline list, select Stochastic Fair Queue.
Click Finished.
You must now associate the rate class with the virtual server.
Virtual server connection limits
Virtual server connection limits
You can configure connection limits for the virtual server. The connection limits determine the maximum number of concurrent connections allowed for a virtual server.
Note: The BIG-IP system sends a TCP reset in response to connection attempts to a virtual server for which the connection limit is reached.
To configure connection limits for the virtual server, perform the following procedure:
Log in to the Configuration utility.
Click Local Traffic.
Click Virtual Servers.
Click the virtual server for which you want to configure the connection limit.
From the Configuration drop-down menu, click Advanced.
Type a Connection Limit for the virtual server.
Click Update.
iRules
Log in to the Configuration utility.
Click Local Traffic.
Click Virtual Servers.
Click the virtual server for which you want to configure the connection limit.
From the Configuration drop-down menu, click Advanced.
Type a Connection Limit for the virtual server.
Click Update.
iRules
It is possible to create iRules to filter out various DoS attacks. Once you identify a particular attack, you can write an iRule that discards packets based on specific criteria, such as source IP address.
For example, using an iRule, you can avoid a location-specific DOS attack. The following iRule inspects the Accept-Language header to get an idea of the source of the attack, and filters based on that:
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" }{
#log "uri: [HTTP::uri] "
HTTP::redirect " http://anotherserverpool"
} elseif { [HTTP::uri] equals "/homepage.asp" } {
#log "uri: [HTTP::uri] "
HTTP::redirect " http://anotherserverpool"
} elseif {[string tolower [HTTP::header "Accept-Language"]] contains "ru"} {
HTTP::redirect " http://nullsite"
} else {
pool mypool
}
}
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" }{
#log "uri: [HTTP::uri] "
HTTP::redirect " http://anotherserverpool"
} elseif { [HTTP::uri] equals "/homepage.asp" } {
#log "uri: [HTTP::uri] "
HTTP::redirect " http://anotherserverpool"
} elseif {[string tolower [HTTP::header "Accept-Language"]] contains "ru"} {
HTTP::redirect " http://nullsite"
} else {
pool mypool
}
}